Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: InactivitySessionTimeoutMiddleware: Check for last_login (allow Django admin login + access) #6800

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from

Conversation

maerteijn
Copy link

PR fulfills these requirements

  • Commit message(s) and PR title follows the format [fix|feat|ci|chore|doc]: TICKET-ID: Short description of change made ex. fix: DEV-XXXX: Removed inconsistent code usage causing intermittent errors
  • Tests for the changes have been added/updated (for bug fixes/features)
  • Docs have been added/updated (for bug fixes/features)
  • Best efforts were made to ensure docs/code are concise and coherent (checked for spelling/grammatical errors, commented out code, debug logs etc.)
  • Self-reviewed and ran all changes on a local instance (for bug fixes/features)

Note: I do not (yet) understand what should be the TICKET-ID and how to decide the commit message with this prefix DEV-XXXX, therefore I left it empty for now and just added the commit message. (Suggestion: Add documentation for outside collaborators how they can determine this).

Change has impacts in these area(s)

(check all that apply)

  • Product design
  • Backend (Database)
  • Backend (API)
  • Frontend

Not really sure which one to choose.

Describe the reason for change

Allows login into the Django admin "Out-of-the-box", and makes sure no last_login comparison is made when never logged in. See also the issue Admin Page - Not letting login #4083

What does this fix?

Allow users to login via the Django admin login screen (/admin/login)

What is the new behavior?

The InactivitySessionTimeoutMiddleware won't automatically logout a user when last_login is not set in the user session.

What is the current behavior?

The InactivitySessionTimeoutMiddleware logs out all users which do not have the last_login value set > 0 in the user session.

What libraries were added/updated?

N/A

Does this change affect performance?

No

Does this change affect security?

No

What alternative approaches were there?

I suggest to completely remove the InactivitySessionTimeoutMiddleware in a future release. Session expiration time can be set out of the box via the SESSION_COOKIE_AGE.

If manual extension / adjustion of the session time is required, you can use the .set_expiry() method. (In the /users/login view for example).

What feature flags were used to cover this change?

N/A

Does this PR introduce a breaking change?

(check only one)

  • Yes, and covered entirely by feature flag(s)
  • Yes, and covered partially by feature flag(s)
  • No
  • Not sure (briefly explain the situation below)

What level of testing was included in the change?

(check all that apply)

  • e2e
  • integration
  • unit

Which logical domain(s) does this change affect?

(for bug fixes/features, be as precise as possible. ex. Authentication, Annotation History, Review Stream etc.)
Authentication

Only check for last_login when it is actually set in the session. Otherwise a user is immediately logged out when not logged in via the user_login view (for example via the Django admin)
Copy link

netlify bot commented Dec 17, 2024

👷 Deploy request for label-studio-docs-new-theme pending review.

Visit the deploys page to approve it

Name Link
🔨 Latest commit 70b0b97

Copy link

netlify bot commented Dec 17, 2024

👷 Deploy request for heartex-docs pending review.

Visit the deploys page to approve it

Name Link
🔨 Latest commit 70b0b97

@@ -56,6 +56,10 @@
'handlers': ['console'],
# 'propagate': True,
},
'core': {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need this?

Copy link
Author

@maerteijn maerteijn Dec 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added this at first because in theInactivitySessionTimeoutMiddleware the following is being logged:

logger.info(
f'Request is too far from last login {current_time - last_login:.0f} > {settings.MAX_SESSION_AGE}; logout'
)
logout(request)

But this was not visible in the console. It would have saved me a lot of time to figure out why I couldn't login into the Django admin, so that's why I added it.

I removed this logging config adjustments and replaced this with a less intrusive change.

I now changed the logging expression to logger.warn: 70b0b97

Now it is default shown in the console without adding a separate logger config for the core app:

[2024-12-18 09:15:47,382] [core.middleware::process_request::217] [WARNING] Request is too far from last login 1734513347 > 1209600; logout

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@makseq See my comment above regarding the logging configuration which I mostly removed now.

Is there anything I could do more to make this PR acceptable to be merged?

@maerteijn maerteijn force-pushed the fix/inactivity-session-timeout-middleware-last-login branch from a5a0874 to 70b0b97 Compare December 18, 2024 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants