Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-13372

User JWT Token refresh occurs with every HTTP request instead of every 5 minutes

    XMLWordPrintable

    Details

    • Edition:
      Community
    • Production Notes:
      None

      Description

      Why

      JWT token refresh: To maintain the session open for the configured amount of time, the expiration date of the JWT token must be extended with every interaction with SonarCloud. Unfortunately, a JWT token is immutable. The only way to allow the session to go on for the configured amount of time starting from now is therefore to replace the user's JWT token with a new one with an extended expiration date.

      This is achieved through a "token refresh", hardcoded to occur every 5 minutes. However, after 5 minutes the token is refreshed every HTTP request, generating tons of new tokens. See dogfood thread for details.

       WHAT

      The date against code compare to decide whether token should be refreshed is incorrect: it's always the creation date of the first JWT token generated when user authenticated.

      The reason for this is in method `refreshToken` here:

      private void refreshToken(Claims token, HttpServletRequest request, HttpServletResponse response) {
       String refreshToken = jwtSerializer.refresh(token, sessionTimeoutInSeconds);
       response.addCookie(createCookie(request, JWT_COOKIE, refreshToken, sessionTimeoutInSeconds));
       jwtCsrfVerifier.refreshState(request, response, (String) token.get(CSRF_JWT_PARAM), sessionTimeoutInSeconds);
       } 

      This method sends a "refreshed" token to the user. The new token is created from the current one (content of the token is represented by the `Claims` object).

      The new token String value is created by method `jwtSerializer.refresh`. This method will update the expiration date of the token but not the "lastRefreshTime" field, resulting in this field keeping the same value forever.

       

        Attachments

          Activity

            People

            Assignee:
            julien.lancelot Julien Lancelot
            Reporter:
            mark.clements Mark Clements
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved: