Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[82122] updates /revoke to take device_secret param #16676

Merged
merged 10 commits into from
May 21, 2024
Merged

[82122] updates /revoke to take device_secret param #16676

merged 10 commits into from
May 21, 2024

Conversation

bramleyjl
Copy link
Contributor

@bramleyjl bramleyjl commented May 8, 2024
edited

Summary

  • updates /revoke to take optional device_secret parameter
  • if device_secret is present SessionRevoker will attempt to use to it to look up and destroy any other sessions that have a matching hashed_device_secret property

Related issue(s)

Testing done

  • New code is covered by unit tests

Testing

  1. Use an API ClientConfig, make sure to modify shared_sessions to true.
  2. Log in multiple times to create multiple SignIn::OAuthSessions, then modify a session to have a matching hashed_device_secret to the current session you possess the device_secret for:
linked_session = SignIn::OAuthSession.first
hashed_device_secret = Digest::SHA256.hexdigest(device_secret)
linked_session.hashed_device_secret = hashed_device_secret
linked_session.save
SignIn::OAuthSession.where(hashed_device_secret: hashed_device_secret)
  => 2 results
  1. Perform a /revoke call with the access token for your current session and the device_secret passed as a url param:
curl --location --request POST 'http://localhost:3000/v0/sign_in/revoke?device_secret=<device_secret>' \
--header 'Content-Type: application/json' \
--header 'Cookie: vagov_access_token=<vagov_access_token>'
  1. Both sessions should now be deleted:
SignIn::OAuthSession.where(hashed_device_secret: hashed_device_secret)
  => []

What areas of the site does it impact?

  • SiS /revoke

Acceptance criteria

  • I fixed|updated|added unit tests and integration tests for each feature (if applicable).
  • No error nor warning in the console.
  • Events are being sent to the appropriate logging solution
  • Documentation has been updated (link to documentation)
  • No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs
  • Feature/bug has a monitor built into Datadog or Grafana (if applicable)
  • If app impacted requires authentication, did you login to a local build and verify all authenticated routes work as expected
  • I added a screenshot of the developed feature

Requested Feedback

(OPTIONAL)What should the reviewers know in addition to the above. Is there anything specific you wish the reviewer to assist with. Do you have any concerns with this PR, why?

@va-vfs-bot va-vfs-bot temporarily deployed to 82122_revoke_device_secret/main/main May 8, 2024 00:33 Inactive
@bramleyjl bramleyjl force-pushed the 82122_revoke_device_secret branch from ee54d65 to 935cb93 Compare May 8, 2024 22:19
@bramleyjl bramleyjl self-assigned this May 8, 2024
@va-vfs-bot va-vfs-bot temporarily deployed to 82122_revoke_device_secret/main/main May 8, 2024 23:48 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 82122_revoke_device_secret/main/main May 16, 2024 16:13 Inactive
@bramleyjl bramleyjl marked this pull request as ready for review May 16, 2024 16:17
@bramleyjl bramleyjl requested a review from a team as a code owner May 16, 2024 16:17
@va-vfs-bot va-vfs-bot temporarily deployed to 82122_revoke_device_secret/main/main May 16, 2024 19:37 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 82122_revoke_device_secret/main/main May 17, 2024 01:04 Inactive
@va-vfs-bot va-vfs-bot temporarily deployed to 82122_revoke_device_secret/main/main May 17, 2024 20:14 Inactive
bosawt
bosawt approved these changes May 20, 2024
View reviewed changes
Copy link
Contributor

@bosawt bosawt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I tested this and confirmed it removes all sessions with a shared 'hashed_device_secret'

Also I confirmed a refresh token is necessary to perform this, which eventually we may want to consider whether it's necessary or not in a 'device_secret' revoke, but for now we'll just make refresh token required

@bramleyjl bramleyjl merged commit 41440b4 into master May 21, 2024
19 checks passed
@bramleyjl bramleyjl deleted the 82122_revoke_device_secret branch May 21, 2024 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bosawt bosawt bosawt approved these changes

Assignees

@bramleyjl bramleyjl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bramleyjl @bosawt @va-vfs-bot