torus-cli icon indicating copy to clipboard operation
torus-cli copied to clipboard

Published 20 hours ago verified publisher icon manifoldco

Gracefully handle token expiration

Open ianlivingstone opened this issue 7 years ago • 4 comments

If a token expires, or becomes invalid, the daemon does not destroy the session -- instead it will continue to attempt to use its currently stored session until the daemon is restarted or a user explicitly logs out through the CLI.

We should detect this scenario and destroy the session if a 401 is returned.

ianlivingstone avatar Jan 25 '17 02:01 ianlivingstone

Thoughts @jeffandersen @jbowes @jelmersnoeck ?

ianlivingstone avatar Jan 25 '17 02:01 ianlivingstone

You're gonna get a 401 back on requests which you're denied through ACL, so forcing you to log in again after that would suck.

This might involve adding a route specific to just testing auth, and ensure that we call that first?

Unless we can start storing the expiry alongside the token and just have the daemon check that locally first.

jeffandersen avatar Jan 25 '17 13:01 jeffandersen

You're gonna get a 401 back on requests which you're denied through ACL, so forcing you to log in again after that would suck.

Yeah, we'd need to differentiate between an unauthorized access error and invalid session -- ideally through the error message type or some other piece of meta data.

ianlivingstone avatar Jan 25 '17 14:01 ianlivingstone

We should probably differentiate between Forbidden access and not having a valid session (Unauthorized) to support this feature appropriately.

ianlivingstone avatar Jan 27 '17 02:01 ianlivingstone