This commit is contained in:
@@ -71,66 +71,8 @@ CURRENT TODOs
|
||||
|
||||
CURRENT ITEM:
|
||||
|
||||
# DANGER DANGER - can make two users with the same login. that's not cricket!
|
||||
- also User model, login and password are not set to required
|
||||
- also auth route with dubious expectation about salt being only necessary differentiator and collection returned from login which should be one only now after this change
|
||||
|
||||
|
||||
|
||||
todo: integration tests bombing due to side effect of dltoken creation changing concurrency token for User account
|
||||
in high speed multiple login scenario, between fetch at start of auth and save of dl token concurrency token has changed by another login
|
||||
which if same account login again breaks
|
||||
FIX: fix below and implment new dl token plan will fix this
|
||||
|
||||
todo: dl token and multiple logins
|
||||
- what if user fetches dl token *after* login from route and server returns existing valid dl token from first jwt key login?
|
||||
- but same issue really, because eventually the token expires and so what happens then, they've just logged in, fresh jwt but dltoken has 1 minute left on it
|
||||
- possible steps:
|
||||
user login
|
||||
fetch session data after login
|
||||
- route sees no dltoken or expired, generates new one and returns it
|
||||
|
||||
User login again
|
||||
fetch session data after login
|
||||
- route sees valid dltoken still and just returns it
|
||||
b4 removal of dltoken:
|
||||
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOiIxNTg4OTgwMDA3IiwiZXhwIjoiMTU4OTU4NDgwNyIsImlzcyI6ImF5YW5vdmEuY29tIiwiaWQiOiIxIiwibmFtZSI6IkF5YU5vdmEgQWRtaW5pc3RyYXRvciIsInVzZXJ0eXBlIjoxLCJheWFub3ZhL3JvbGVzIjoiMTMxMDcxIiwiZGx0IjoiYk1rMjluUVJranBIRkYwdjlYZHBNRlpUL0IyS3ZaVG1PTGhYZEp2dDVEYyJ9.GVKxfOcjk8bLtO3SFRio6epyLYwIYHEyCLCh4DC-bF8"
|
||||
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOiIxNTg4OTgwMDg0IiwiZXhwIjoiMTU4OTU4NDg4NCIsImlzcyI6ImF5YW5vdmEuY29tIiwiaWQiOiIxIiwibmFtZSI6IkF5YU5vdmEgQWRtaW5pc3RyYXRvciIsInVzZXJ0eXBlIjoxLCJheWFub3ZhL3JvbGVzIjoiMTMxMDcxIiwiZGx0IjoiWS9NTHBsS1pXamxEdHhPS0RuVzhsZTVXUkwxTEhtdVRVSHVycHBJeFEifQ.JAaTDJeDDajk7ljzfarWxG2luO3y4A67zIFqQw2CHAQ
|
||||
after:
|
||||
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOiIxNTg4OTgzNDY5IiwiZXhwIjoiMTU4OTU4ODI2OSIsImlzcyI6ImF5YW5vdmEuY29tIiwiaWQiOiIxIn0.IWXZSGSJBGXS6AFQYF6ueA9xDFbcqpv3TVgA5fWQxMk
|
||||
Final:
|
||||
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIxNTg5NTg4NzAzIiwiaXNzIjoiYXlhbm92YS5jb20iLCJpZCI6IjEifQ.A9sq8RahA96L31sbOy5OTNLRVdXg-BHBKlVlyGRkQIE
|
||||
|
||||
todo: JWT tokens, revoking expiring etc, look at this: https://github.com/ptboyer/restful-api-design-tips#authentication
|
||||
todo: PLANNING session tracking to prevent logging in from multiple devices with same account
|
||||
- right now if I login as same user on another browser the download token becomes invalid on the first computer
|
||||
- so wiki images don't load etc
|
||||
- Perhaps we track the download token or something during certain requests to server so it can return a 403 and redirect to login if they are on another session
|
||||
- or maybe the download route should return the not authenticated response to force login again
|
||||
- maybe part of JWT session key of some kind that must be current to work to prevent multiple logins
|
||||
- JWT TOKEN for image download??
|
||||
- JWT TOKEN too large? sb as tiny as possible, currently too much info in it?
|
||||
ACTION:
|
||||
- I've decided to *NOT* allow simultaneous same login sessions
|
||||
- If user logs in then prior jwt is invalidated somehow (in db tracking)
|
||||
- So user's won't share passwords, gives more control and security and supports future 2fa scenario
|
||||
- This will absolutely FUCK UP the integration tests so I guess I need a workaround for that
|
||||
- Actually, are they really logging in fresh again? I think it logs in once and then shares the token...must check
|
||||
|
||||
todo: User dl token and other data in JWT not required should be fetched seperately
|
||||
Currently in token WAY too much stuff:
|
||||
{ "iat", iat.ToUnixTimeSeconds().ToString() },
|
||||
{ "exp", exp.ToUnixTimeSeconds().ToString() },//in payload exp must be in unix epoch time per standard
|
||||
{ "iss", "ayanova.com" },
|
||||
{ "id", u.Id.ToString() },
|
||||
{ "name", u.Name},
|
||||
{ "usertype", u.UserType},
|
||||
{ "ayanova/roles", ((int)u.Roles).ToString()},
|
||||
{ "dlt", DownloadToken }
|
||||
|
||||
|
||||
|
||||
Fix existing integration tests
|
||||
todo: test for coded fix for can make two users with the same login. that's not cricket!
|
||||
|
||||
Add tests as I go while adding all the structure of the workorder and all ops
|
||||
TBD: Does a labor and other grandchild objects record really have an attachment, wiki, and custom fields?
|
||||
UI? Will it be a table or a whole form or...??
|
||||
@@ -155,6 +97,7 @@ Finish off the v8 test export then get the below shit done so can move to stage
|
||||
|
||||
============================
|
||||
|
||||
todo: Release AyaNova 7.x (bump version numbers)
|
||||
|
||||
|
||||
todo: ***CLEAN UP OR DELETE***
|
||||
|
||||
Reference in New Issue
Block a user