Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

login_api::logout API does not clean up registered API sets #2618

Open
1 of 17 tasks
abitmore opened this issue Jul 29, 2022 · 0 comments
Open
1 of 17 tasks

login_api::logout API does not clean up registered API sets #2618

abitmore opened this issue Jul 29, 2022 · 0 comments
Milestone
Future Feature Re...

Comments

@abitmore
Copy link
Member

abitmore commented Jul 29, 2022
edited
Loading

Bug Description

When login_api::logout is called, or login_api::login is called again but failed, or succeeded but the new user has access to fewer API sets, ideally, we should clean up the API sets that the previous user registered but is no longer available.

However, the shared pointers to these objects are already saved elsewhere (in FC), so we are unable to clean up.

That means the API set IDs for the registered API sets are still accessible even if the new user should not have access to.

bitshares-core/libraries/app/api.cpp

Lines 80 to 83 in 8c93d58

// Ideally, we should clean up the API sets that the previous user registered but the new user
// no longer has access to.
// However, the shared pointers to these objects are already saved elsewhere (in FC),
// so we are unable to clean up, so it does not make sense to reset the optional fields here.

bitshares-core/libraries/app/api.cpp

Lines 91 to 93 in 8c93d58

// Ideally, we should clean up the API sets that the previous user registered.
// However, the shared pointers to these objects are already saved elsewhere (in FC),
// so we are unable to clean up, so it does not make sense to reset the optional fields here.

Impacts
Describe which portion(s) of BitShares Core may be impacted by this bug. Please tick at least one box.

  • API (the application programming interface)
  • Build (the build process or something prior to compiled code)
  • CLI (the command line wallet)
  • Deployment (the deployment process after building such as Docker, Travis, etc.)
  • DEX (the Decentralized EXchange, market engine, etc.)
  • P2P (the peer-to-peer network for transaction/block propagation)
  • Performance (system or user efficiency, etc.)
  • Protocol (the blockchain logic, consensus, validation, etc.)
  • Security (the security of system or user data, etc.)
  • UX (the User Experience)
  • Other (please add below)

Host Environment
Please provide details about the host environment. Much of this information can be found running: witness_node --version.

  • Host OS: [e.g. Ubuntu 18.04 LTS]
  • Host Physical RAM [e.g. 4GB]
  • BitShares Version: [e.g. 2.0.180425]
  • OpenSSL Version: [e.g. 1.1.0g]
  • Boost Version: [e.g. 1.65.1]

CORE TEAM TASK LIST

  • Evaluate / Prioritize Bug Report
  • Refine User Stories / Requirements
  • Define Test Cases
  • Design / Develop Solution
  • Perform QA/Testing
  • Update Documentation
@abitmore abitmore mentioned this issue Jul 29, 2022
Closed
22 tasks
@abitmore abitmore added this to the Future Feature Release milestone Jul 29, 2022
@abitmore abitmore changed the title Calling API again will not revoke access to already allowed API sets (previous user) if the new user has permission to fewer API sets. login_api::logout API does not clean up registered API sets Jul 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Future Feature Release
Development

No branches or pull requests
1 participant
@abitmore