----- Original message
-----
From: Aline Manera <alinefm@linux.vnet.ibm.com>
To: luciojhc@linux.vnet.ibm.com, Harshal
Patil/India/IBM@IBMIN, kimchi-devel@ovirt.org
Cc:
Subject: Re: [Kimchi-devel] adding '/auth' for
authentication
Date: Thu, Aug 6, 2015 6:27 PM
On 05/08/2015 18:02, Lucio
Correia wrote:
> On 08/05/2015 04:27 PM, Aline Manera wrote:
>>
>>
>> On 05/08/2015 14:56, Lucio Correia wrote:
>>> Hi Harshal,
>>>
>>> On 08/02/2015 01:45 PM, Harshal Patil
wrote:
>>>> Hi,
>>>> In the 'wok' branch there isn't
anything to detect if the session has
>>>> timed out on the browser side. On the
other hand, on master (kimchi)
>>>> there is '/vms' endpoint called every 5
seconds which kinda takes care
>>>> of making sure the user is indeed
logged in.
>>>> So I was wondering, if no one is
already working on it, to introduce a
>>>> '/auth' endpoint which we can poll
every 5 seconds using ajax and
>>>> based
>>>> on the response status code we can
either redirect to login page or
>>>> just
>>>> stay on the same page. This is useful
in 'wok' because there isn't any
>>>> '/vms' endpoint which existed in master
(kimchi) by default.
>>>> I can submit a patch for review if this
sounds good so far. Also, if
>>>> there is a better way of doing it, I
would love to hear about it.
>>>> Harshal
>>>>
>>>>
>>>
>>> The 10-minutes time out is still working
with wok branch. But it is
>>> only verified if you leave it in "Host" or
"Guests" tab. Other tabs'
>>> APIs don't send "wok-robot" in headers.
>>>
>>> Your proposal is good, you will need to
send "wok-robot" in '/auth'
>>> headers, and remove the "wok-robot" from
kimchi plugin's Host and
>>> Guests API headers.
>>
>> Why do you need a API /auth to check the user
is logged? Shouldn't the
>> "wok-robot" header be enough to do that?
>> Otherwise, we will increase significantly the
number of the requests, as
>> the real request would be send after a /auth
request.
>>
>
> Good point Aline, we really don't need /auth. If we
want timeout
> checked for every request, I see two alternatives:
> * drop wok-robot verification from
check_auth_session() in
> src/wok/auth.py.
> * add wok-robot headers to requestJSON() in
wok.api.js.
I prefer the second alternative. The 'wok-robot' header
was created to
distinguish AJAX requests from user requests.
>
> But I don't know why currently only hosts and
guests tab use wok-robot.
>
Because only those tabs have logic to pool the request
every X seconds.
In fact, we need to add this to every tab to keep
consistence and
automatically logout user when session expires.