Forum Discussion

paweltrybus's avatar
paweltrybus
Cloud Apps
07-05-2024
Solved

REST API logout not taking an effect

Hello everyone! I am trying to trigger building the datamodel from Apache Airflow. I am following this path to do so:
- I use GET `api/v1/authentication/login` endpoint to generate an access token
- I use POST `api/v2/builds` endpoint to schedule a new build
- I use GET `api/v2/builds/<datamodelId>` endpoint to check the build status
- I use GET `api/v1/authentication/logout_all` endpoint to log out all the tokens generated for this service account.

The logout step returns status code 204 and no body. The problem is that the access token generated in step 1 is still valid and I can use it to schedule new build. This is big security threat. 

Have anyone met sth similar? How to solve the issue?

  • paweltrybus's avatar
    paweltrybus
    07-12-2024

    The support team helped to solve the issue. It turned out it is not feasible to disable access tokens with `api/v1/authentication/logout_all` endpoint. Instead the support team suggested turning on the token expiration and letting it expire by themselves. It is the instruction to turn the token expiration:

    • Go to Sisense Admin -> Server & Hardware -> System Management -> Configuration
    • Click 5 times on the Sisense logo
    • Click Base
    • Search for Authentication and expand it
    • enable authentication.apiTokenExpiration and save the changes

    Thanks for help!

     

7 Replies

  • paweltrybus's avatar
    paweltrybus
    Cloud Apps
    07-09-2024

    Thanks for your answer DRay  After seeing your message I contacted support and I am waiting for the response.

    I am using the header `Authorization: "Bearer <token>"` for the `api/v1/authentication/logout_all` endpoint.

    • DRay's avatar
      DRay
      Admin
      07-09-2024

      Excellent. Can you update us when you get it resolved?

      Thank you.

  • paweltrybus's avatar
    paweltrybus
    Cloud Apps
    07-12-2024

    The support team helped to solve the issue. It turned out it is not feasible to disable access tokens with `api/v1/authentication/logout_all` endpoint. Instead the support team suggested turning on the token expiration and letting it expire by themselves. It is the instruction to turn the token expiration:

    • Go to Sisense Admin -> Server & Hardware -> System Management -> Configuration
    • Click 5 times on the Sisense logo
    • Click Base
    • Search for Authentication and expand it
    • enable authentication.apiTokenExpiration and save the changes

    Thanks for help!

     

    • DRay's avatar
      DRay
      Admin
      07-12-2024

      Thank you for the update. I'm glad you were able to get it sorted out!

  • DRay's avatar
    DRay
    Admin
    07-08-2024

    Hello paweltrybus.

    Thank you for reaching out. I'm engaging internal resources to get feedback on this.

  • DRay's avatar
    DRay
    Admin
    07-08-2024

    In the meantime, have you reached out to Sisense support about this? They will be able to review logs and there might be a need for a patch or a fix from their side if this is identified as a bug.

  • DRay's avatar
    DRay
    Admin
    07-08-2024

    Can you look at the logout call?  For the logout api, you need to supply to existing api token in the form 'Bearer' + <bearer token>