logging out all authenticated users

[Dima Pasechnik]

In our installation of trac 1.2, the only way I can disable a user login is by

removing them manually from the file pointed at by htdigest_file=

in trac.ini's [account-manager] section.

(somehow, web admin interface does not do this :-( )

However, the user is still able to modify trac contents, as long as they

didn't log out in the browser (even after a reboot of the trac server).

So they still hold some kind of login/access token.

Question: how does one log out all the users from the server side?

(i.e., expire their access tokens) ?

------------------

We need this to make the trac server read-only.

Thanks,

Dima

[Dima Pasechnik]

I'm now running "trac-admin <instance> session delete $uid" for all 3000+ sessions I see in the output  of  "trac-admin <instance> session list authenticated"

Will it have the desired effect?

[Jun Omae]

On Tue, Jan 31, 2023 at 1:54 AM Dima Pasechnik <dim...@gmail.com> wrote:
> Question: how does one log out all the users from the server side?
> (i.e., expire their access tokens) ?

Try to delete records in auth_cookie table.

--
Jun Omae <jun...@gmail.com> (大前 潤)

[Dima Pasechnik]

On Mon, Jan 30, 2023 at 11:23 PM Jun Omae <jun...@gmail.com> wrote:
>
> On Tue, Jan 31, 2023 at 1:54 AM Dima Pasechnik <dim...@gmail.com> wrote:
> > Question: how does one log out all the users from the server side?
> > (i.e., expire their access tokens) ?
>
> Try to delete records in auth_cookie table.

Where is this table? I only see

[trac]
auth_cookie_path =

in trac.ini

>
> --
> Jun Omae <jun...@gmail.com> (大前 潤)
>

> --
> You received this message because you are subscribed to a topic in the Google Groups "Trac Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/trac-users/9BrEiSNmxQ8/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to trac-users+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/CAEVLMagh2qjTG97deUwL3%3DVWvGguDbuoDB8PzzCaSGvK7aQ40A%40mail.gmail.com.

[Jun Omae]

On Tue, Jan 31, 2023 at 8:53 AM Dima Pasechnik <dim...@gmail.com> wrote:
>
> On Mon, Jan 30, 2023 at 11:23 PM Jun Omae <jun...@gmail.com> wrote:
> >
> > On Tue, Jan 31, 2023 at 1:54 AM Dima Pasechnik <dim...@gmail.com> wrote:
> > > Question: how does one log out all the users from the server side?
> > > (i.e., expire their access tokens) ?
> >
> > Try to delete records in auth_cookie table.
>
> Where is this table? I only see

I said "table". Table is typically stored in database....
See [trac] database option in your Trac environment.

See also:

- https://trac.edgewall.org/wiki/1.2/TracInstall#MandatoryDependencies
- https://trac.edgewall.org/wiki/DatabaseBackend

[Dima Pasechnik]

On Tue, Jan 31, 2023 at 12:12 AM Jun Omae <jun...@gmail.com> wrote:
>
> On Tue, Jan 31, 2023 at 8:53 AM Dima Pasechnik <dim...@gmail.com> wrote:
> >
> > On Mon, Jan 30, 2023 at 11:23 PM Jun Omae <jun...@gmail.com> wrote:
> > >
> > > On Tue, Jan 31, 2023 at 1:54 AM Dima Pasechnik <dim...@gmail.com> wrote:
> > > > Question: how does one log out all the users from the server side?
> > > > (i.e., expire their access tokens) ?
> > >
> > > Try to delete records in auth_cookie table.
> >
> > Where is this table? I only see
>
> I said "table". Table is typically stored in database....
> See [trac] database option in your Trac environment.

Yes, I see now, thanks. Looking at the code in `web/auth.py`, I see a
search for a
cookie for the user. And there are functions (in LoginModule) for
getting the user name from a cookie:
_cookie_to_name() and _get_name_for_cookie()
- which don't seem to make any attempt to verify that the user name
they get from the DB
record is a valid user (this is in Trac 1.2, as well as in the latest
Trac 1.5.3)
Then _get_name_for_cookie() gets called in authenticate(), and again,
no attempt to validate the user
is done.

From what we observe in Trac 1.2, users granted TRAC_ADMIN still have
their auth cookies
in the DB, and are able to modify comments in tickets, despite being
removed as TRAC_ADMINS, through the web admin,
and removed from the list of users in the file pointed to by htdigest_file=

in trac.ini's [account-manager] section.

(and with their sessions removed via "trac-admin <> session delete <user>")
So it seems that such removals don't trigger the purge of their auth
cookies from the database,
even after full restart of trac. Shouldn't there a startup check being
done on users and cookies for
users no longer present be invalidated?
Was this ever reported as a bug?

Anyhow, assuming all the authenticated access to tickets going via
authenticate() in LoginModule, it should
be trivial to make tickets read-only by making the latter return None
all the time...

Thanks,
Dima

>
> See also:
>
> - https://trac.edgewall.org/wiki/1.2/TracInstall#MandatoryDependencies
> - https://trac.edgewall.org/wiki/DatabaseBackend
>
> --
> Jun Omae <jun...@gmail.com> (大前 潤)
>

> --
> You received this message because you are subscribed to a topic in the Google Groups "Trac Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/trac-users/9BrEiSNmxQ8/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to trac-users+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/CAEVLMagU9u-8u2q90xV%2Bndzf9LY3Md2%2BBp-rk_yBjfL9P-xb7w%40mail.gmail.com.