Fix that auth tokens would sometimes be overwritten (#8738)

fm3 · web-flow · commit 026cde48fdd5 · 2025-07-02T11:21:58.000+02:00
Quoting from Silhouette’s BearerTokenAuthenticator docstring for `update`: ``` * Updates the authenticator with the new last used date in the backing store. * * We needn't embed the token in the response here because the token itself will not be changed. * Only the authenticator in the backing store will be changed. ``` Our implementation of `update` did something else. It fetched *any* authenticator of the same user and changed not only the last used date time but also the value. So if update was called by silhouette on a datastore token, it could happen that an Authentication token was changed. This bug has been in place ever since #2149 but to trigger it, a request has to be sent to `/api/` with a valid *datastore* token. We don’t usually do that, but the libs tests seem to do so now. That is also a libs bug. This also caused the webknossos-libs tests to get 401 responses when using X-Auth-Tokens that were lost in this way. ### Steps to test: - Requests with X-Auth-Token should work, token should stay fixed. - Normal datastore/tracingstore operation should also still work ------ - [x] Added changelog entry (create a `$PR_NUMBER.md` file in `unreleased_changes` or use `./tools/create-changelog-entry.py`) - [x] Considered [common edge cases](../blob/master/.github/common_edge_cases.md)
diff --git a/app/security/BearerTokenAuthenticatorRepository.scala b/app/security/BearerTokenAuthenticatorRepository.scala
@@ -3,7 +3,6 @@ package security
 import play.silhouette.api.LoginInfo
 import play.silhouette.api.repositories.AuthenticatorRepository
 import play.silhouette.impl.authenticators.BearerTokenAuthenticator
-import com.scalableminds.util.accesscontext.{DBAccessContext, GlobalAccessContext}
 import com.scalableminds.util.time.Instant
 import com.scalableminds.util.tools.Fox
 import TokenType.TokenType
@@ -19,23 +18,15 @@ class BearerTokenAuthenticatorRepository(tokenDAO: TokenDAO)(implicit ec: Execut
   override def add(authenticator: BearerTokenAuthenticator): Future[BearerTokenAuthenticator] =
     add(authenticator, TokenType.Authentication)
 
-  override def update(newAuthenticator: BearerTokenAuthenticator): Future[BearerTokenAuthenticator] = {
-    implicit val ctx: DBAccessContext = GlobalAccessContext
+  override def update(newAuthenticator: BearerTokenAuthenticator): Future[BearerTokenAuthenticator] =
     (for {
-      oldAuthenticatorSQL <- tokenDAO.findOneByLoginInfo(newAuthenticator.loginInfo.providerID,
-                                                         newAuthenticator.loginInfo.providerKey,
-                                                         TokenType.Authentication)
-      _ <- tokenDAO.updateValues(
-        oldAuthenticatorSQL._id,
+      _ <- tokenDAO.updateLastUsedDateTime(
         newAuthenticator.id,
         Instant.fromZonedDateTime(newAuthenticator.lastUsedDateTime),
-        Instant.fromZonedDateTime(newAuthenticator.expirationDateTime),
-        newAuthenticator.idleTimeout
       )
       updated <- findOneByValue(newAuthenticator.id)
     } yield updated).toFutureOrThrowException(
       "Could not update Token. Throwing exception because update cannot return a box, as defined by Silhouette trait AuthenticatorDAO")
-  }
 
   override def remove(value: String): Future[Unit] =
     for {
diff --git a/app/security/Token.scala b/app/security/Token.scala
@@ -2,7 +2,6 @@ package security
 
 import play.silhouette.api.LoginInfo
 import play.silhouette.impl.authenticators.BearerTokenAuthenticator
-import com.scalableminds.util.accesscontext.DBAccessContext
 import com.scalableminds.util.enumeration.ExtendedEnumeration
 import com.scalableminds.util.time.Instant
 import com.scalableminds.util.tools.Fox
@@ -116,20 +115,11 @@ class TokenDAO @Inject()(sqlClient: SqlClient)(implicit ec: ExecutionContext)
                           ${t.tokenType}, ${t.created}, ${t.isDeleted})""".asUpdate)
     } yield ()
 
-  def updateValues(id: ObjectId,
-                   value: String,
-                   lastUsedDateTime: Instant,
-                   expirationDateTime: Instant,
-                   idleTimeout: Option[FiniteDuration])(implicit ctx: DBAccessContext): Fox[Unit] =
+  def updateLastUsedDateTime(value: String, lastUsedDateTime: Instant): Fox[Unit] =
     for {
-      _ <- assertUpdateAccess(id)
       _ <- run(q"""UPDATE webknossos.tokens
-                   SET
-                     value = $value,
-                     lastUsedDateTime = $lastUsedDateTime,
-                     expirationDateTime = $expirationDateTime,
-                     idleTimeout = ${idleTimeout.map(_.toMillis)}
-                   WHERE _id = $id""".asUpdate)
+                   SET lastUsedDateTime = $lastUsedDateTime
+                   WHERE value = $value""".asUpdate)
     } yield ()
 
   def deleteOneByValue(value: String): Fox[Unit] = {
diff --git a/unreleased_changes/8738.md b/unreleased_changes/8738.md
@@ -0,0 +1,2 @@
+### Fixed
+- Fixed a bug where authentication tokens would sometimes expire too soon.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+### Fixed`
	`2`	`+- Fixed a bug where authentication tokens would sometimes expire too soon.`