Sentiaus opened a new pull request, #3765: URL: https://github.com/apache/texera/pull/3765
## Description --- This PR mitigates the security issue described in #3737, by removing the token refresh functionality. ## Problem --- When user's sign in, they receive a new token. This token has a TTL of 2 days (2880 minutes), as defined by `expiration-in-minutes` in `auth.conf`. However, a user's token is refreshed if they make any action that creates a request to the backend, if the token has not already expired. The refresh time is the same as the original TTL, thus, a user could theoretically be signed in indefinitely. From a security perspective this is unsafe. ## Solution --- The token refresh functionality was removed from `auth.service.ts`. Additionally, since the `refreshToken` in `auth.service.ts` called the `/refresh` route from the backend, the route and any classes/functions it used were removed (`AuthResource.scala`, `RefreshTokenRequest.scala`). The TTL of the token was then changed to 7 days (10080 minutes) to improve user experience. ## Side Effects --- As noted in #3738, when a user's token is expired, but are not logged out, they are still able to access some data, but are unable to make any changes. Because tokens are no longer refreshed, the user is more likely to encounter this case. Fixes #3737 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
