-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: InactivitySessionTimeoutMiddleware
: Check for last_login
(allow Django admin login + access)
#6800
base: develop
Are you sure you want to change the base?
Conversation
Only check for last_login when it is actually set in the session. Otherwise a user is immediately logged out when not logged in via the user_login view (for example via the Django admin)
👷 Deploy request for label-studio-docs-new-theme pending review.Visit the deploys page to approve it
|
👷 Deploy request for heartex-docs pending review.Visit the deploys page to approve it
|
label_studio/core/settings/base.py
Outdated
@@ -56,6 +56,10 @@ | |||
'handlers': ['console'], | |||
# 'propagate': True, | |||
}, | |||
'core': { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added this because in theInactivitySessionTimeoutMiddleware
the following is being logged:
label-studio/label_studio/core/middleware.py
Lines 216 to 219 in 2e360bc
logger.info( | |
f'Request is too far from last login {current_time - last_login:.0f} > {settings.MAX_SESSION_AGE}; logout' | |
) | |
logout(request) |
But this was not visible in the console. It would have saved me a lot of time to figure out why I couldn't login into the Django admin, so that's why I added it.
As an alternative (and less intrusive change) , I now changed the above logging expression to logger.warn
: 70b0b97
Now it is default shown in the console without adding a separate logger config for the core
app:
[2024-12-18 09:15:47,382] [core.middleware::process_request::217] [WARNING] Request is too far from last login 1734513347 > 1209600; logout
a5a0874
to
70b0b97
Compare
PR fulfills these requirements
[fix|feat|ci|chore|doc]: TICKET-ID: Short description of change made
ex.fix: DEV-XXXX: Removed inconsistent code usage causing intermittent errors
Note: I do not (yet) understand what should be the
TICKET-ID
and how to decide the commit message with this prefixDEV-XXXX
, therefore I left it empty for now and just added the commit message. (Suggestion: Add documentation for outside collaborators how they can determine this).Change has impacts in these area(s)
(check all that apply)
Not really sure which one to choose.
Describe the reason for change
Allows login into the Django admin "Out-of-the-box", and makes sure no
last_login
comparison is made when never logged in. See also the issue Admin Page - Not letting login #4083What does this fix?
Allow users to login via the Django admin login screen (
/admin/login
)What is the new behavior?
The
InactivitySessionTimeoutMiddleware
won't automatically logout a user whenlast_login
is not set in the user session.What is the current behavior?
The
InactivitySessionTimeoutMiddleware
logs out all users which do not have thelast_login
value set > 0 in the user session.What libraries were added/updated?
N/A
Does this change affect performance?
No
Does this change affect security?
No
What alternative approaches were there?
I suggest to completely remove the
InactivitySessionTimeoutMiddleware
in a future release. Session expiration time can be set out of the box via the SESSION_COOKIE_AGE.If manual extension / adjustion of the session time is required, you can use the .set_expiry() method. (In the
/users/login
view for example).What feature flags were used to cover this change?
N/A
Does this PR introduce a breaking change?
(check only one)
What level of testing was included in the change?
(check all that apply)
Which logical domain(s) does this change affect?
(for bug fixes/features, be as precise as possible. ex. Authentication, Annotation History, Review Stream etc.)
Authentication