Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-6085

Bearer Token isn't killed after user logs out

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.0
    • Fix Version/s: 1.10.0
    • Component/s: Security
    • Labels:
      None

      Description

      I observed that Authorization Bearer token is not invalidated after a logout.

      Steps to produce 

      Step 1: Login to Nifi as usual.

      Step 2: Copy the authorisation bearer token after the login from /nifi-api/access/token response.

      Step 3: Make a request a curl request as below and observe http 200 response is received with status information.

      curl -v -H "Authorization: Bearer <Token>" https://nifi-server/nifi-api/flow/status

      Step 4: Log out from Nifi Console 

      Step 5: Repeat Step 3 and observe again http 200 response is received with status information even though the user has logged out.

       

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              thenatog Nathan Gough
              Reporter:
              abdusahin Abdu Sahin

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 50m
                50m

                  Issue deployment