[Kimchi-devel] adding '/auth' for authentication

Aline Manera alinefm at linux.vnet.ibm.com
Thu Aug 6 12:33:33 UTC 2015 


On 05/08/2015 18:02, Lucio Correia wrote:
> On 08/05/2015 04:27 PM, Aline Manera wrote:
>>
>>
>> On 05/08/2015 14:56, Lucio Correia wrote:
>>> Hi Harshal,
>>>
>>> On 08/02/2015 01:45 PM, Harshal Patil wrote:
>>>> Hi,
>>>> In the 'wok' branch there isn't anything to detect if the session has
>>>> timed out on the browser side. On the other hand, on master (kimchi)
>>>> there is '/vms' endpoint called every 5 seconds which kinda takes care
>>>> of making sure the user is indeed logged in.
>>>> So I was wondering, if no one is already working on it, to introduce a
>>>> '/auth' endpoint which we can poll every 5 seconds using ajax and 
>>>> based
>>>> on the response status code we can either redirect to login page or 
>>>> just
>>>> stay on the same page. This is useful in 'wok' because there isn't any
>>>> '/vms' endpoint which existed in master (kimchi) by default.
>>>> I can submit a patch for review if this sounds good so far. Also, if
>>>> there is a better way of doing it, I would love to hear about it.
>>>> Harshal
>>>>
>>>>
>>>
>>> The 10-minutes time out is still working with wok branch. But it is
>>> only verified if you leave it in "Host" or "Guests" tab. Other tabs'
>>> APIs don't send "wok-robot" in headers.
>>>
>>> Your proposal is good, you will need to send "wok-robot" in '/auth'
>>> headers, and remove the "wok-robot" from kimchi plugin's Host and
>>> Guests API headers.
>>
>> Why do you need a API /auth to check the user is logged? Shouldn't the
>> "wok-robot" header be enough to do that?
>> Otherwise, we will increase significantly the number of the requests, as
>> the real request would be send after a /auth request.
>>
>
> Good point Aline, we really don't need /auth. If we want timeout 
> checked for every request, I see two alternatives:
> * drop wok-robot verification from check_auth_session() in 
> src/wok/auth.py.
> * add wok-robot headers to requestJSON() in wok.api.js.

I prefer the second alternative. The 'wok-robot' header was created to 
distinguish AJAX requests from user requests.

>
> But I don't know why currently only hosts and guests tab use wok-robot.
>

Because only those tabs have logic to pool the request every X seconds.
In fact, we need to add this to every tab to keep consistence and 
automatically logout user when session expires.

More information about the Kimchi-devel mailing list