Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-7475

Some api calls result in "Destroying user session"

    XMLWordPrintable

Details

      1. Create new access token with all permissions/scopes
      2. Go to 3scale API Docs page
      3. Send Backend create request with the token
      4. Reload admin portal page
      5. See it requires login

    Description

      Some api calls trough API Docs page cause session to log out. Doesn't happen while using the curl command.

      Known to cause this:

      • Backend create/delete/update
      • Field definitions update/delete

      In the logsĀ (attached below) for system-provider shows:

      ... Can't verify CSRF token authenticity.
      ... Destroying user session {id}
      

      Where id is filled AND actually logs out when used trough API Docs page. When using curl the id is missing and doesn't cause log out.

      Dev notes

      Every endpoint in the API Docs page which returns json and uses different HTTP methods than GET will trigger the destruction of the session.

      The easiest fix is to disable the CSRF protection for json requests. However, this is not optimal.
      We should fix the communication between the backend and frontend so it won't destroy the user session.

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-azgabur Alexander Zgabur
            Jakub Smadis Jakub Smadis (Inactive)
            Alexander Zgabur Alexander Zgabur
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: