Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Account Name leaks into different sessions #504

Open
maany opened this issue Dec 12, 2024 · 4 comments
Open

Account Name leaks into different sessions #504

maany opened this issue Dec 12, 2024 · 4 comments
Assignees
@maany
Labels
bug Something isn't working
Milestone
36.0.0

Comments

@maany
Copy link
Member

maany commented Dec 12, 2024
edited
Loading

Description

The account name property of the session appears to be leaking between user sessions. This issue occurs due to server-side caching in Next.js, where responses from certain API endpoints are cached and shared across sessions. No other session parameters seem to be affected.

Steps to reproduce

  1. Login via x509 certificate to https://atlas-rucio-webui-int.cern.ch
  2. Login via x509 with a different account (from a different browser/machine)
  3. Observe that the dashboard in Step 2 displays the account name of the user from Step 1.

Rucio WebUI Version

35.5.0

Additional Information

No response
@maany maany added the bug Something isn't working label Dec 12, 2024
@maany maany added this to the 36.0.0 milestone Dec 12, 2024
@maany maany self-assigned this Dec 12, 2024
@maany
Copy link
Member Author

maany commented Dec 12, 2024

This issue is caused by Next.js server-side caching. When a user logs in and is redirected to the dashboard, the site_header query sends a request to the /api/feature/get-site-header Next.js API endpoint.

Next.js caches the response of this endpoint on the server side. For example, when a user with the account ddmadmin logs in, the response might look like this:

rucioIdentity: "CN=Mayank Sharma,CN=098765,CN=mayank,OU=Users,OU=Organic Units,DC=cern,DC=ch"
rucioAccount: "ddmadmin"
rucioVO: "def"
role: "user"

When a new user logs in with a different account on a different machine, the site_header query again requests the /api/feature/get-site-header endpoint. However, instead of executing the feature and generating a fresh response, the server returns the cached response, which includes the rucioAccount from the previous user.

1 similar comment
@maany
Copy link
Member Author

maany commented Dec 12, 2024

This issue is caused by Next.js server-side caching. When a user logs in and is redirected to the dashboard, the site_header query sends a request to the /api/feature/get-site-header Next.js API endpoint.

Next.js caches the response of this endpoint on the server side. For example, when a user with the account ddmadmin logs in, the response might look like this:

rucioIdentity: "CN=Mayank Sharma,CN=098765,CN=mayank,OU=Users,OU=Organic Units,DC=cern,DC=ch"
rucioAccount: "ddmadmin"
rucioVO: "def"
role: "user"

When a new user logs in with a different account on a different machine, the site_header query again requests the /api/feature/get-site-header endpoint. However, instead of executing the feature and generating a fresh response, the server returns the cached response, which includes the rucioAccount from the previous user.

@maany
Copy link
Member Author

maany commented Dec 13, 2024

Upon further investigation, it seems the responses from Next.js endpoints are being cached by either the HTTPD reverse proxy or the CERN OpenStack LBaaS load balancer.

This issue does not occur in dev/prod setups where requests are routed directly to the Next.js endpoint, bypassing additional reverse proxies or load balancers. This confirms that Next.js itself is not caching the responses.

@maany
Copy link
Member Author

maany commented Dec 13, 2024

Possible solutions:

  1. Add a Cache-Control header in CERN LBaaS config.
    CERN LBaaS policies can be set as follows:
    https://clouddocs.web.cern.ch/networking/l7_policies.html#validation_3

  2. Disable httpd cacheing by adding the same headers for all '/api/feature/*' routes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maany maany

Labels
bug Something isn't working
Projects
None yet
Milestone
36.0.0
Development

No branches or pull requests
1 participant
@maany