cancel
Showing results for 
Search instead for 
Did you mean: 

REST API logout not taking an effect

paweltrybus
8 - Cloud Apps
8 - Cloud Apps

Hello everyone! I am trying to trigger building the datamodel from Apache Airflow. I am following this path to do so:
- I use GET `api/v1/authentication/login` endpoint to generate an access token
- I use POST `api/v2/builds` endpoint to schedule a new build
- I use GET `api/v2/builds/<datamodelId>` endpoint to check the build status
- I use GET `api/v1/authentication/logout_all` endpoint to log out all the tokens generated for this service account.

The logout step returns status code 204 and no body. The problem is that the access token generated in step 1 is still valid and I can use it to schedule new build. This is big security threat. 

Have anyone met sth similar? How to solve the issue?

1 ACCEPTED SOLUTION

paweltrybus
8 - Cloud Apps
8 - Cloud Apps

The support team helped to solve the issue. It turned out it is not feasible to disable access tokens with `api/v1/authentication/logout_all` endpoint. Instead the support team suggested turning on the token expiration and letting it expire by themselves. It is the instruction to turn the token expiration:

  • Go to Sisense Admin -> Server & Hardware -> System Management -> Configuration
  • Click 5 times on the Sisense logo
  • Click Base
  • Search for Authentication and expand it
  • enable authentication.apiTokenExpiration and save the changes

Thanks for help!

 

View solution in original post

7 REPLIES 7

DRay
Community Team Leader
Community Team Leader

Hello @paweltrybus.

Thank you for reaching out. I'm engaging internal resources to get feedback on this.

David Raynor (DRay)

DRay
Community Team Leader
Community Team Leader

In the meantime, have you reached out to Sisense support about this? They will be able to review logs and there might be a need for a patch or a fix from their side if this is identified as a bug.

David Raynor (DRay)

DRay
Community Team Leader
Community Team Leader

Can you look at the logout call?  For the logout api, you need to supply to existing api token in the form 'Bearer' + <bearer token>

David Raynor (DRay)

paweltrybus
8 - Cloud Apps
8 - Cloud Apps

Thanks for your answer @DRay  After seeing your message I contacted support and I am waiting for the response.

I am using the header `Authorization: "Bearer <token>"` for the `api/v1/authentication/logout_all` endpoint.

DRay
Community Team Leader
Community Team Leader

Excellent. Can you update us when you get it resolved?

Thank you.

David Raynor (DRay)

paweltrybus
8 - Cloud Apps
8 - Cloud Apps

The support team helped to solve the issue. It turned out it is not feasible to disable access tokens with `api/v1/authentication/logout_all` endpoint. Instead the support team suggested turning on the token expiration and letting it expire by themselves. It is the instruction to turn the token expiration:

  • Go to Sisense Admin -> Server & Hardware -> System Management -> Configuration
  • Click 5 times on the Sisense logo
  • Click Base
  • Search for Authentication and expand it
  • enable authentication.apiTokenExpiration and save the changes

Thanks for help!

 

DRay
Community Team Leader
Community Team Leader

Thank you for the update. I'm glad you were able to get it sorted out!

David Raynor (DRay)