Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-8038

Old Browser Session JWT_Tokens can be used till the expiration timeout hit

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 1.18.0
    • ArgoCD
    • False
    • Hide

      None

      Show
      None
    • False

      Description of Problem

      • Same issue reported in upstream https://github.com/argoproj/argo-cd/issues/14930
      • A session token stored in browser cookies if copied and logged out from the session. The token can be reused as the token has expiry of 24h default, therefore it's valid till the expiration timeout.

      Additional Info

      Problem Reproduction

      • Steps to Reproduce added

      Reproducibility

      • Always

      Prerequisites/Environment

      • OpenShift GitOps

      Steps to Reproduce

      • Login to ArgoCD Dashboard via OpenShift Login
      • Check the browser[Chrome] inspect > Switch Application Tab > under Storage click on Cookie section > Click on ArgoCD URL > in mid section look for `argocd.token`.
      • Copy the token and check the token expiry using KCS https://access.redhat.com/solutions/7116939
      • Try login again to ArgoCD Dashboard, will get a new token. 
      • Use below command to get apps list with old session token
      argocd app list --server openshift-gitops-server-openshift-gitops.apps.<redacted> --grpc-web --auth-token "<Token>"

      Expected Results

      • Old token should get expired after session logout 

      Actual Results

      • Old tokens can be used till the expiration timeout

      Problem Analysis

      • <Completed by engineering team as part of the triage/refinement process>

      Root Cause

      • <What is the root cause of the problem? Or, why is it not a bug?>

      Workaround (If Possible)

      Fix Approaches

      • <If we decide to fix this bug, how will we do it?>

      Acceptance Criteria

      • ...

      Definition of Done

      • Code Complete:
        • All code has been written, reviewed, and approved.
      • Tested:
        • Unit tests have been written and passed.
        • Ensure code coverage is not reduced with the changes.
        • Integration tests have been automated.
        • System tests have been conducted, and all critical bugs have been fixed.
        • Tested and merged on OpenShift either upstream or downstream on a local build.
      • Documentation:
        • User documentation or release notes have been written (if applicable).
      • Build:
        • Code has been successfully built and integrated into the main repository / project.
        • Midstream changes (if applicable) are done, reviewed, approved and merged.
      • Review:
        • Code has been peer-reviewed and meets coding standards.
        • All acceptance criteria defined in the user story have been met.
        • Tested by reviewer on OpenShift.
      • Deployment:
        • The feature has been deployed on OpenShift cluster for testing.

              rh-ee-anjoseph Anand Francis Joseph
              rhn-support-sburhade Satyam Burhade
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: