Revoke and redirect user to revoked page from websockets (realtime)
Revoke and redirect user to revoked page from websockets (realtime)
Previous MRs
- https://gitlab.com/gitlab-org/gitter/webapp/merge_requests/1071
- https://gitlab.com/gitlab-org/gitter/webapp/merge_requests/1132
This was needed so that a user who is logged into the app is properly logged out and redirected to the token revoked page. Previousy, you would just sit in the app with revoked tokens so nothing worked.
Other potential avenues
We have existing functionality to logout the user when we receive a websockets frame that has message.advice.reconnect === 'none' but this only happens if the channel is /meta/handshake and we get a 401 error in the request process. But the problem is that the /meta/handshake request only happens once at the beginning to get a clientId and if we revoke the token afterwards, nothing happens. We could try to re-handshake but I couldn't find a good API in the gitter-realtime-client or halley(has some rehandshake logic inside but not exposed)
-
server/web/bayeux/advice-adjuster.js-> public/js/components/realtime.js,accessTokenFailureExtension
We also have some logic around the 401/403 status request errors in the GitHub tentacles API calls and log out the user.
But this has also been brought up as problematic and we should only be destroying the GitHub tokens, https://github.com/troupe/gitter-webapp/issues/620. We currently log the user all the way out so they can sign in and get new tokens. But it isn't strictly necessary to have GitHub tokens to use Gitter.
From my testing, it just left me inside the app and I had to manually refresh to see that all tokens were destroyed and I was logged out.
-
modules/github/lib/bad-credentials-check.js-> -
server/web/middlewares/token-error-handler.js-> server/web/middlewares/logout-destroy-tokens.js
Todo
-
Handle case where client misses the single frame we send out - Perhaps if the token subscription fails, logout