fix!: bug in JWT vs session user id compare #408
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
robrap
force-pushed
the
robrap/fix-lms-user-id-compare
branch
from
1ac7da0
to
a17fc69
Compare
robrap
changed the title
robrap
force-pushed
the
robrap/fix-lms-user-id-compare
branch
from
a17fc69
to
3b26f05
Compare
If ENABLE_FORGIVING_JWT_COOKIES was enabled, there was a bug for any service other than the identity service(LMS/CMS), where the session's local service user id would never match the JWT LMS user id when compared. This has been fixed. - The custom attribute jwt_auth_mismatch_session_lms_user_id was renamed to jwt_auth_mismatch_session_lms_user_id to make this more clear. - The setting EDX_DRF_EXTENSIONS[VERIFY_LMS_USER_ID_PROPERTY_NAME] was added to enable choosing the user object property that contains the lms_user_id, if one exists. If this is unset, a service will simply skip this additional protection. - The custom attribute jwt_auth_get_lms_user_id_status was added to provide observability into the new functionality. BREAKING CHANGE: The breaking change only affects services with ENABLE_FORGIVING_JWT_COOKIES enabled. It now requires the new setting VERIFY_LMS_USER_ID_PROPERTY_NAME to be set in order to provide the original Session vs JWT user id check. Part of DEPR: #371
robrap
force-pushed
the
robrap/fix-lms-user-id-compare
branch
from
3b26f05
to
90f1c73
Compare
When VERIFY_LMS_USER_ID_PROPERTY_NAME is None, uses lms_user_id as a default (only if found). This is to ease deployment. Also uses special value 'skip-check' to disable, in case of emergency. See updated commit message below: --------------------------------- Fixes a bug for any service other than the identity service (LMS/CMS), where the session's local service user id would never match the JWT LMS user id when compared. - The custom attribute jwt_auth_mismatch_session_lms_user_id was renamed to jwt_auth_mismatch_session_lms_user_id to make this more clear. - The setting EDX_DRF_EXTENSIONS[VERIFY_LMS_USER_ID_PROPERTY_NAME] was added to enable choosing the user object property that contains the LMS user id, if one exists. If this is set to None (the default), the check will use the lms_user_id property if it is found, and otherwise will skip this additional protection. In case of an unforeseen issue, use 'skip-check' to skip the check, even when there is an lms_user_id property. - The custom attribute jwt_auth_get_lms_user_id_status was added to provide observability into the new functionality. BREAKING CHANGE: The breaking change only affects services with ENABLE_FORGIVING_JWT_COOKIES enabled. It now requires the new setting VERIFY_LMS_USER_ID_PROPERTY_NAME to be set appropriately in order to provide the existing Session vs JWT user id check. Note that only LMS/CMS will likely need to set this value. Part of DEPR: #371
robrap
commented
Nov 22, 2023
Comment on lines
+393
to
+398
| # This special value acts like an emergency disable toggle in the event that the user object has an lms_user_id, | ||
| # but this LMS id check starts causing unforeseen issues and needs to be disabled. | ||
| skip_check_property_name = 'skip-check' | ||
| if lms_user_id_property_name == skip_check_property_name: | ||
| set_custom_attribute('jwt_auth_get_lms_user_id_status', skip_check_property_name) | ||
| return None |
There was a problem hiding this comment.
Author Note: It was taking me equally long trying to justify we we might not want this, and since I want to quickly get to removing the forgiven JWT toggle, I would have had no kill switch for this if it turns out to cause an issue. So, I decided to add this additional bit of complexity.
@feanil: Please mark as resolved if you have no response, or start a conversation. Thanks.
feanil
approved these changes
Nov 27, 2023
timmc-edx
reviewed
Nov 27, 2023
| ~~~~~ | ||
| * **BREAKING CHANGE**: Fixes a bug for any service other than the identity service (LMS/CMS), where the session's local service user id would never match the JWT LMS user id when compared. | ||
|
|
||
| * The custom attribute jwt_auth_mismatch_session_lms_user_id was renamed to jwt_auth_mismatch_session_lms_user_id to make this more clear. |
There was a problem hiding this comment.
I think the first copy here is supposed to be jwt_auth_mismatch_session_user_id
There was a problem hiding this comment.
Thanks. I created #411.
robrap
added a commit
to openedx/edx-platform
that referenced
this pull request
Nov 27, 2023
edx-drf-extensions 9.0.0 requires VERIFY_LMS_USER_ID_PROPERTY_NAME to be properly set in LMS to get the appropriate verification when forgiving JWTs is enabled (which will soon be by default). See openedx/edx-drf-extensions#408 for details. This is part of: edx/edx-arch-experiments#429
robrap
added a commit
to openedx/edx-platform
that referenced
this pull request
Nov 27, 2023
Upgrade edx-drf-extensions 9.0.0 Commit generated by workflow `openedx/edx-platform/.github/workflows/upgrade-one-python-dependency.yml@refs/heads/master` edx-drf-extensions 9.0.0 requires VERIFY_LMS_USER_ID_PROPERTY_NAME to be properly set in LMS to get the appropriate verification when forgiving JWTs is enabled (which will soon be by default). See openedx/edx-drf-extensions#408 for details. This is part of: edx/edx-arch-experiments#429 Co-authored-by: robrap <[email protected]>
robrap
added a commit
to robrap/ecommerce
that referenced
this pull request
Nov 27, 2023
9.0.0 fixes ENABLE_FORGIVING_JWT_COOKIES bug. The JWT's LMS user id will now be compared to the user object's lms_user_id, rather than to its id. For details, see: openedx/edx-drf-extensions#408 Note that this won't be put into effect until ENABLE_FORGIVING_JWT_COOKIES is toggled on separately. Also, although this is a major upgrade, it only caused a backward-incompatible issue in edx-platform. There are no other changes required for ecommerce. This is part of the rollout of: edx/edx-arch-experiments#429
1 task
robrap
added a commit
to robrap/ecommerce
that referenced
this pull request
Nov 28, 2023
9.0.0 fixes ENABLE_FORGIVING_JWT_COOKIES bug. The JWT's LMS user id will now be compared to the user object's lms_user_id, rather than to its id. For details, see: openedx/edx-drf-extensions#408 Note that this won't be put into effect until ENABLE_FORGIVING_JWT_COOKIES is toggled on separately. Also, although this is a major upgrade, it only caused a backward-incompatible issue in edx-platform. There are no other changes required for ecommerce. This is part of the rollout of: edx/edx-arch-experiments#429
christopappas
pushed a commit
to openedx/ecommerce
that referenced
this pull request
Nov 28, 2023
9.0.0 fixes ENABLE_FORGIVING_JWT_COOKIES bug. The JWT's LMS user id will now be compared to the user object's lms_user_id, rather than to its id. For details, see: openedx/edx-drf-extensions#408 Note that this won't be put into effect until ENABLE_FORGIVING_JWT_COOKIES is toggled on separately. Also, although this is a major upgrade, it only caused a backward-incompatible issue in edx-platform. There are no other changes required for ecommerce. This is part of the rollout of: edx/edx-arch-experiments#429
christopappas
pushed a commit
to openedx/ecommerce
that referenced
this pull request
Dec 4, 2023
9.0.0 fixes ENABLE_FORGIVING_JWT_COOKIES bug. The JWT's LMS user id will now be compared to the user object's lms_user_id, rather than to its id. For details, see: openedx/edx-drf-extensions#408 Note that this won't be put into effect until ENABLE_FORGIVING_JWT_COOKIES is toggled on separately. Also, although this is a major upgrade, it only caused a backward-incompatible issue in edx-platform. There are no other changes required for ecommerce. This is part of the rollout of: edx/edx-arch-experiments#429
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Fixes a bug for any service other than the identity service
(LMS/CMS), where the session's local service user id would never
match the JWT LMS user id when compared.
renamed to jwt_auth_mismatch_session_lms_user_id to make this more
clear.
was added to enable choosing the user object property that contains
the LMS user id, if one exists. If this is set to None (the
default), the check will use the lms_user_id property if it is
found, and otherwise will skip this additional protection. In case
of an unforeseen issue, use 'skip-check' to skip the check, even
when there is an lms_user_id property.
provide observability into the new functionality.
BREAKING CHANGE: The breaking change only affects services with
ENABLE_FORGIVING_JWT_COOKIES enabled. It now requires the new setting
VERIFY_LMS_USER_ID_PROPERTY_NAME to be set appropriately in order to
provide the existing Session vs JWT user id check. Note that only
LMS/CMS will likely need to set this value.
Part of DEPR:
#371
Before merge checklist:
Merge checklist:
Post merge:
finished.