chore(backend): force token expire

[thbcmlowk]

Description

Part of FL-1656

Disable never expiring BearerToken

Companion

Substra/substra-frontend#385

How has this been tested?

On dev by:

• Creating expiring tokens and one never-expiring
• Applying the migration code
• Check db results

Creating tokens

 select * from users_bearertoken;

            created            |     note      |         expires_at         |                  id                  | user_id 
-------------------------------+---------------+----------------------------+--------------------------------------+---------
 2024-08-27 12:47:09.093701+00 | expires-60    | 2024-10-26 12:47:08.395+00 | 3a07a145-9ecd-46e8-aa00-35a9a3d2ebf2 |       4
 2024-08-27 12:47:16.34687+00  | never-expires |                            | 456efb44-4f30-49f8-bc12-46a673da9f90 |       4

Applying migration

I have no name!@substra-backend-substra-backend-server-5674697f78-ds9nk:/usr/src/app$ ./manage.py migrate users
Operations to perform:
  Apply all migrations: users
Running migrations:
  Applying users.0008_alter_bearertoken_expires_at... OK

            created            |     note      |          expires_at           |                  id                  | user_id 
-------------------------------+---------------+-------------------------------+--------------------------------------+---------
 2024-08-27 12:47:09.093701+00 | expires-60    | 2024-10-26 12:47:08.395+00    | 3a07a145-9ecd-46e8-aa00-35a9a3d2ebf2 |       4
 2024-08-27 12:47:16.34687+00  | never-expires | 2024-08-27 12:50:24.131665+00 | 456efb44-4f30-49f8-bc12-46a673da9f90 |       4

Checklist

• changelog was updated with notable changes
• documentation was updated

[linear]

FL-1656 Investigate token lifetime

[thbcmlowk]

/e2e --tests=substrafl,mnist,camelyon,frontend --refs=substra-frontend=chore/disable-never-expiring-token

[Owlfred]

End to end tests: ✔️ SUCCESS

[SdgJlbl]

One question, otherwise LGTM.
I don't know enough about the OIDC implementation to know if it will work without issues there.
And we have to keep in mind at the next upgrade that all tokens will be revoked.

[SdgJlbl]

By default, all existing tokens will expire immediately at the time of the migration. Is that what you want?

[thbcmlowk]

I think the idea was rather to set an immediate expiration date for token that does not have one

[thbcmlowk]

Updated, thank you

[ThibaultFy]

I don't understand, does that mean that by default it expires instantly ?

[thbcmlowk]

Thanks for asking, I am not sure I remember the rational behind this particular change.

[guilhem-barthes]

It may have been that all already existing tokens are revoked

[guilhem-barthes]

Do we really want a default value or do we want to force the user to provide it?

[thbcmlowk]

What it means is that if no value is provided, the token will be created with instant expire. Note that the fronted will disable the possibility to create token with a null expires_at field. One other option is to remove the default ; meaning that creating a token with a null expires_at field will raise the following error:

django.db.utils.IntegrityError: null value in column "expires_at" of relation "users_bearertoken" violates not-null constraint

Not sure of what would be the best behavior, but happy to rework this if we think it's worth.

[thbcmlowk]

Do we really want a default value or do we want to force the user to provide it

Did not refresh, sorry. Obviously better if we force the user to provide it indeed. Is there a clean way to do so?

[guilhem-barthes]

How did you get this IntegrityError ? The serializer should have returned an error when receiving an empty field for expires_at (and if I recall correctly, DRF does not emit DB django error)

[thbcmlowk]

I have the error when running tests that rely on instantiating tokens with null expires_at (eg here) and setting either:

• required=True in the BearerTokenSerializer
• blank=False in the BearerToken model

[thbcmlowk]

/e2e --tests=sdk,substrafl,mnist,camelyon,frontend

[Owlfred]

End to end tests: ✔️ SUCCESS

[guilhem-barthes]

👍

[guilhem-barthes]

Thanks for your work!

[guilhem-barthes]

/e2e --tests=sdk,substrafl,mnist,camelyon,frontend

[Owlfred]

End to end tests: ❌ FAILURE

Jobs status:

• Camelyon / camelyon,frontend: ❌
• Dispatch Jobs: ✔️
• Documentation: ⏭️
• MNIST / mnist,frontend: ❌
• SubstraFL / substrafl,frontend: ❌
• SubstraSDK / sdk: ❌

“You shall not pass!” ― Gandalf, The Lord of the Rings, The Fellowship of the Ring