web staff client can spam open-ils.auth.session.retrieve requests

Bug #1774448 reported by Galen Charlton on 2018-05-31
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Undecided
Unassigned
3.0
Undecided
Unassigned

Bug Description

The web staff client polls periodically to see if the authentication session is still current. This polling is done at an interval of the original auth session time (plus 5 seconds), using a $timeout.

However, super-large auth.staff_timeout values can result in the $timeout delay overflowing a 32-bit integer in most browser implementations (see https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout#Maximum_delay_value), meaning that it can do open-ils.auth.session.retrieve requests as quickly as possible... for every open browser tab logged into the web staff client.

If nothing else, this can cause logs to fill. A maximum poll time should be enforced below the 2,147,483,647 millisecond limit before a 32-bit integer overflows, and we should probably also coerce the minimum poll time to be 60 seconds or the like.

Evergreen 3.0+

Bill Erickson (berick) on 2018-05-31
Changed in evergreen:
status: New → Confirmed
assignee: nobody → Bill Erickson (berick)
status: Confirmed → In Progress
Bill Erickson (berick) wrote :

Fix pushed implementing Galen's suggestions.

Shortest poll value is now 60,000ms and longest is now 2,147,483,647ms.

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/berick/lp1774448-auth-poll-spam

Changed in evergreen:
milestone: none → 3.1.3
assignee: Bill Erickson (berick) → nobody
status: In Progress → Confirmed
tags: added: pullrequest webstaffclient
Changed in evergreen:
milestone: 3.1.3 → 3.1.4
Changed in evergreen:
milestone: 3.1.4 → 3.1.5
Bill Erickson (berick) wrote :

To confirm the overflow issue:

insert (or UPDATE) into actor.org_unit_setting (org_unit, name, value) values (1, 'auth.staff_timeout', '"30 days"');

[Note that any value above the integer overflow value results in setTimeout firing immediately. No math required, just make it a big value.]

Then log into the staff client with the browser console open. Note the flow of session retrieve calls. Once the patch is applied, it should only fire once a minute.

To confirm the 1-minute minimum after applying the patch, do the same as above using '"30 seconds"' as the value and confirm in the browser logs the session retrieve call only fires once per minute.

Jason Boyer (jboyer) wrote :

I came, I saw, I tested.

And it was fine. Signoff: http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/jboyer/lp1774448-auth-poll-spam-signoff
working/user/jboyer/lp1774448-auth-poll-spam-signoff

Bill Erickson (berick) wrote :

Thanks, Jason! Merged to 3.0 and up.

Changed in evergreen:
assignee: nobody → Bill Erickson (berick)
status: Confirmed → Fix Committed
assignee: Bill Erickson (berick) → nobody
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers