SK
Signal KDavid Godin

Session Management

Login and Admin UI Remember Me This is a follow up about https://github.com/SignalK/signalk-server/pull/1670 and the login infinite look it creates in KIP I assumed the Admin UI worked like most sites: check the box and it log's you in automatically. You still need to get a token and it expires but it will renew automatically in the background for you. In any case, thats not really the issue since it's a login feature of the Admin UI, right? I think the "Remember Me timeout" should only affect the Admin UI and not the login API response token TTL. In my view they are two separate things. Because they are tied and v2.6 changes "Remember Me timeout=NEVER" as the default (see thread from Jess on this) it has more impact and will create support questions, at least for Kip. NEVER was not listed and an option before in the "Remember me" (still not in v2.6). It only used to apply to Device Tokens. At least from a UI perspective (see image). In short, I think the Admin UI "Remember Me timeout" and how the login API generates User Session token expiration should be two separate settings. Else the Admin IU's "Remember Me timeout" settings also affect all other apps using the login API, be it from a local or a remote call. Makes sense?
No description
No description
TK
Teppo Kurki39d ago
The security setting for rememberme timeout is for the server, not the admin ui. Admin ui has plenty of settings that configure the server: that is kinda what the admin ui’s primray purpose is What is the actual problem here? The infinite loop? What exactly is the mechanism there that is is triggered by the NEVER value? Can you point me to Kip code that handles login & tokens?
DG
David Godin39d ago
Are you angry? Forget about the code for a moment. I'd say if we both don't understand this simple subject, something is not clear about what things do and/or how it is presented in the UI. - First, in the login screen have a "Remember Me" toggle option. Based on most common application, this makes apps and sites remember your credentials automatically. Just as it says. Maybe it even log you in automatically. Is that what this toggle does? - Second, in the Admin UI's Security / Settings, the is a "Remember Me timeout" parameter which appears to be very closely related. If the "Remember Me timeout" parameter sets tokens expiration rule for user logins, including login api calls, it should be named accordingly. If it's not what it should do and that it should only apply to the local cookie token, there is a bug because KIP does not rely on cookies and it receives NEVER in the token result from the login api response. - Thirdly, I don't understand why we would put to NEVER by default, unless it's not important to have that level of security by default. In this day and age, I'd say it's advisable, the feature already exists and works very well. If KIP needs to handle the new NEVER token expiration , I'm sure you would do a better job then me, but I'll first try to fix it. This option was not listed as a possibility in the UI before. If the new option stays, the UI should probably be updated because once you change NEVER to something else, there is no way to know, if you don't remember later, that it's a possibility. Hope this helps
TK
Teppo Kurki39d ago
sorry if my burst of short questions sounded angry, was just a bit busy so they came out that way i'll try to write a bit longer description of how the server works and how i (and i think Scott to some extent) have envisioned things to work over the weekend 1) when you call login endpoint with RememberMe the server response sets a cookie that is set to never expire and the jwt in it never expires. when you restart the browser the cookie remains - it is the same session, so technically it does not log you in automatically because you were never logged out, browser restart has no effect without RememberMe set in login the cookie has no MaxAge set and the browser deletes the cookie on restart Admin UI relies 100% on the cookie, just calls server with credentials : include, nothing in http headers 2) currently there is only one setting for session timeout. it affects both the jwt and cookie lifetime. can be renamed in the UI. can't be simply limited only to cookie, as then there would be no way to control the lifetime of token's lifetime 3) the idea for changing it to NEVER was brought up in Slack: people complaining that they are constantly logged out. As i phrased it in the PR: "as a user when I login and set RememberMe to true I expect the server to keep remembering me, over browser restart, with no set time limit" You argued that "NEVER" was not there before so it should not be added. I don't buy that argument - if we continue in that direction we can never change anything, because "it was not like that before". Certainly we want to minimise hassle and problems, but be able to progress to me a core problem here is that I did not understand that Kip manages tokens independently and that this could cause trouble. NEVER was already in use for device accesses, so I assumed this change would not cause issues i asked about pointers to Kip code to just better understand how things work there. code is the ultimate documentation, albeit nontrivial to understand 😁
TK
Teppo Kurki39d ago
PS. concise Discord thread names help navigating Discord, the beginning of a post is rarely useful as the name
No description
DG
David Godin38d ago
No problem. It’s water under the bridge… I fully agree things need to evolve 👍 To further my knowledge: I want to understand if the Serve (not sure how to name it - I mean the SK service) handles Users and Devices session tokens separately from the Admin UI: I assumed, probably wrongly - but it made good sense, that the Server handled both User and Device tokens independently from the Admin UI. That for the Server, both token types (Users and Devices) worked the same way with one exception: User tokens don’t required manual approval in the admin UI. So for this this meant the server has a "token store" for each Device and/or User with the expiration logic. Again following my assumption, the Server automatically generates, saved to the “token store” and sends back the token in the response upon login api calls (or device token api, don't remember if they are the same...). When the server receives a request with an expired token, it refuses to process and return a 4xx error (I don’t remember the exact error number). It’s up to the app/client to handle the exception. So, again with my assumption, the admin UI used a User token but saves it in a cookie for it's own use.
UU
Unknown User38d ago
DG
David Godin38d ago
So onto how KIP works: keeping in mind it's mostly ran on different devices than the server, KIP always make a login api call on startup and injects the token to all subsequent API requests. It decodes the expiration date from the token string, and auto renews seconds before it expires - it simply make a new login api call. Tokens are never saved and no cookie is used Thanks Jess. I think KIP needs to handle NEVER for User tokens. It does for Devices tokens already. I just need to find time to fixed it and release, but I have a big PR to commit first. I'll see what I can do to expedite. @Teppo Kurki unless we think a NEVER expire User token is not a good thing In my interpretation of how things worked, for me, the cookie, and it's contained token, was only related to the Admin UI, meaning both the "Remember me" toggle only update the Admin UK cookie and that it had nothing to do with how the Server handled tokens and their expirations. It's probably not how it works, but it would make real good sense. It would fix one issue: when KIP makes the login API call, it would not force a cookie token update and unexceptionally change the user and permissions used by the Admin UI, or other apps that use that same cookie. The User session token NEVER expire issue is something else. KIP needs a fix if NEVER is a possible value and somewhat fast because it's now the default. @Teppo Kurki I'm here to have fun and so are you. I’ll try and take things less personal 😉
TK
Teppo Kurki38d ago
here's (somewhat opinionated) documentation on how sessions work https://github.com/SignalK/signalk-server/pull/1692 i think a core question here is the direction where we want to go: 1. all webapps share the same session 2. each webapp manages its own session what i don't quite see is the value for users in going for (2) - in what real world use cases has that more value than shared sessions? a practical use case is opening Kip and Freeboard in two browsers windows or Kip embedded in Freeboard: with shared cookie based sessions everything just works, no extra effort needed (please ignore the fact that Kip-in-Freeboard is already implemented, let's imagine i created KipsrtumentPanelSteelSeries the next gen instrument display thingamagic) i assume that by far the majority of servers out there with security on have only a single user configured to me "single sign on" is by far more valuable than the case where you want different identities in different windows in a single browser
DG
David Godin38d ago
I have not yet looked at the link yet. Need to sleep! People use apps remotely and have different people on board. Think of racing crews and large working ships, or just husband and wife. They want/need different configurations from the same app to suit their needs. I had a question just today in the Kip channel on this. I’ve had others ask before as well simply because their guess/wife constantly messed around with their config from their personal iPad but with the same user. I use this feature myself. We have applicationData user key for that purpose and it works great. It’s a real active use case. It’s simply that this small part of SK is still designed with a one man, one nav station simple approach that it probably started with. It’s a simple improvement to finalize this evolution.
TK
Teppo Kurki37d ago
Sorry i distracted you, of course multiple users are definitely needed But what concrete use cases are better served by session-per-webapp instead of shared sessions? When would one need different identities in different webapps in a single browser? This is not about applicationData per user, that works with either I can think of one mechanism we are missing for shared sessions: webapps getting notified of ”current user” changing. But that doesn’t work with session-per-webapp either if you have multiple browser windows with Kip and you login as a new user in one of them, the others won’t notice (i assume, have not tested)
DG
David Godin37d ago
Right. They don't affect each other. Been reading and it's a very good addition. I'd like to make suggestions, even contribute, if I may. I'm a not knowledgeable about SK code just as most non-core team devs are. May be my insight could help address this reader perspective. Let me know if/how you want the collaboration to happen... Here is how my newbie brain approach the subject: 1. Server Tokens: state management, expiration, User vs Device tokens 2. Authentication API: Login, Logout, Validate, HTTP vs WebSocket 3. Device Access Requests: Requests and Admin UI approval 4. Cookies: Concept and application 5. WebApps & Plugins implementation: What you would use and what's their benefits/limitations/impacts Not sure Admin UI is relevant in this context. It's just another WebApp... I'd make a page dedicated to Admin UI and explain the Remember Me login page toggle. Just a quick draft but it's what I had to figure out in steps. @Teppo Kurki few more questions on the subject: 1. What happens with the token validity when you call logout api? 2. Does it affect the cookie token content if so how? 3. Does it impact remote clients token validity?
TK
Teppo Kurki37d ago
the base mechanisms are documented at https://signalk.org/specification/1.7.0/doc/security.html but that is not very practical
DG
David Godin37d ago
yeah. I read it before implemeting login in KIP, spoke with Scott, re read it today and still not clear on some things
TK
Teppo Kurki37d ago
all logout does is remove the session cookie. it has no effect on the token what do you mean with "remote client"? what is a "non remote client"? too bad i missed that conversation. well, better late than never sure, we can document these together. i am so far in that i can't see what others don't get. but the thing is there are multiple ways for doing things and some of the stuff is just built in browser logic, like including cookies and no access to headers for ws connections, so i am not too eager to replicate all that
DG
David Godin37d ago
makes sense so that means: 1. the token is not related to a user, it's just a key with expiration, right? 2. api requests to ApplicationData 'users/<username>' is available to any logged in user, right? Want me to contribute to the PR? I'll use the structure I proposed and leave points open to you when I don't have the answers. Then see if you like it.
TK
Teppo Kurki37d ago
1. no, the token does contain the user's identity 2. no. your path is not correct, it is singular /signalk/v1/applicationData/user/ and username is not part of the path, the user's identity is from the authenticated user
DG
David Godin37d ago
I mean the the folder path ~/.signalk/applicationData/users/<username>
TK
Teppo Kurki37d ago
what about it?
DG
David Godin37d ago
call to /signalk/v1/applicationData/user/ automatically maps to the ~/.signalk/applicationData/users/<username> folder, right?
TK
Teppo Kurki37d ago
yes. so what is your question?
DG
David Godin37d ago
just trying to make sure I understand so if/when I change KIP, the everything still works.
TK
Teppo Kurki37d ago
as a webapp author why would you care about directories on the server, as you work with the server's API?
DG
David Godin37d ago
is it a problem if I do?
TK
Teppo Kurki37d ago
or were you asking "is user specific applicationData available for all users"?
DG
David Godin37d ago
So to support cookie in KIP, the limitation would be that you have to build you KIP config with the same user as the users you want to use in other apps. That would be ok.
TK
Teppo Kurki37d ago
well, you talked about api requests but used concepts that are not in the api but directories on the server, so just trying to understand what it is you are asking / verrfying. no problem at all
DG
David Godin37d ago
Sorry. I was validating the relationship between logged in users and config storage folders so I can implement that change properly and explain it to users
TK
Teppo Kurki37d ago
the authentication method, cookie or header, does not change the user that you are authenticated as and under whose application user data Kip settings are stored switching to cookie based authentication should have no practical effect to the end users' settings except in cases where people login sequentially with different apps in different windows or there is something i am not getting? you login as user x, your settings are saved under user x's applicationdata and can be retrieved later
DG
David Godin37d ago
I get it. More questions! How does the server know who's who and what rights they have, if you have many people on different devices with different users?
TK
Teppo Kurki37d ago
they login with their username, then the username is included in the cookie/token payload when handling a request the username is extracted from the cookie/token and used to look up their access level details
DG
David Godin37d ago
So the token contains the user? Or it’s in some other cookie key?
TK
Teppo Kurki37d ago
yes, it does. above i already answered the token does contain the users’s identity and the username is included in the cookie/token payload - is there something still unclear about it? (no offense, just thought i made this point 2 times,)
DG
David Godin36d ago
This was the statement that confused me
C
Copprhead36d ago
Not sure where this is heading, but the question was asked if we need per-app sessions/auth or a shared session/auth. In my boat's setup, I have a display connected to the machine running SK at the chart table. There I want to use the SK UI as admin to do all the important SK stuff. And (in the same browser) I also want to use KIP, but as a user with only r/w permissions and probably sometimes changing user to get different instrument setups. All without interfering with the "remember-me-login" as admin in SK UI running in another tab. Would that mean per-app sessions?
Want results from more Discord servers?
Add your server
More Posts
Kees - Is it possible to share Layout across di...Is it possible to share Layout across different devices? If I save a layout to server, it only showsKees - Is there also support for using Multi Sw...Is there also support for using Multi Switches like the inverter charge state (inverting/on/off/charmshulman - @Scott Bender hi Scott, I'm having t...@Scott Bender hi Scott, I'm having trouble navigating the WSK UI on AppleTV. I can swipe right and lgregy - @Scott Bender … i saw the updated wsk t...@Scott Bender … i saw the updated wsk testflight.. and got excited 😦 … any thinking on the appleTV Copprhead - How can I add a waypoint from a plu...How can I add a waypoint from a plugin that is then immediately shown in Freeboard?Backup of Kip from CerboGX to PCI'm running Kip on a Victron CerboGX. After a intensive configuration in 2023 I lost my Kip-screens How do I determine if there is a courseOverGroundMagnetic?Subj.Copprhead - In '.signalk' I have a 'resources' ...In '.signalk' I have a 'resources' folder with 'charts', 'notes', 'regions', 'routes', 'waypoints' aheading infoAre there any simple ways to get bearing/heading info into SK (on RPI4)? (Not including commercial NCopprhead - When I load the SK server GUI in an...When I load the SK server GUI in an iframe, I cannot log in when using Chrome or Chromium, but with Rhumb Runner - Course Provider plugin seems to ...Course Provider plugin seems to have multiple errors in calculations for timeToGo, estimatedTimeOfArHow to send Grafana alerts to SignalKI'd like to use SignalK as a central point of all the notifications. I set up some alerts in GrafanaAdrianP - Freeboard-SK v2.6.0 beta with support...Freeboard-SK v2.6.0 beta with support for displaying S57 vector charts is available on NPM. `npm i @Roger - I'm trying to set up leeway using the D...I'm trying to set up leeway using the Derived Data plugin. on my boat, I'm getting attitude data frray_sabado - Is Hans here? I have a couple que...Is Hans here? I have a couple questions regarding B&G stuff.problem starting developmentI'm new to signalk development, trying to set up a development environment. Installed it raw on my mRoger - @Matti Airas, I have a problem with my ...@Matti Airas, I have a problem with my SH-ESP32 crashing or locking up every so often. When it happeConnection between only 2 NMEA2000 devicesIs it possible to connect only 2 NMEA2000 devices with a single cable without passing through a N2K PR review apps in fly.ioif somebody has experience with deploying PR review apps in fly.io with GH actions we could use themJörgen - I'd like to help with support for Garm...I'd like to help with support for Garmin Reactor autopilot for the signalk-autopilot plugin. I was t