You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, bearer token validation is not very solid. There are a few things that can be improved:
Only Macaroon tokens are checked. But dCache also supports OIDC tokens. It would be nice to check them too.
For checking, the external command view-macaroon is used (if it can be found). It would be nice to reduce external dependencies. Decoding tokens should be fairly easy to implement (something like split & base64 decode)
Currently, only the expiration date of the macaroon is checked. We could consider checking also a few extra things, like: if you try to stage, does the macaroon have the required "UPDATE_METADATA" permission?
Such improved validation would be helpful to speed up troubleshooting for users, and reduce the number of helpdesk support requests. It might be extra helpful with bulk requests, because those are often accepted at first and only checked during processing. Some basic checks up front and failing early when needed, will save some time.
Currently, bearer token validation is not very solid. There are a few things that can be improved:
Such improved validation would be helpful to speed up troubleshooting for users, and reduce the number of helpdesk support requests. It might be extra helpful with bulk requests, because those are often accepted at first and only checked during processing. Some basic checks up front and failing early when needed, will save some time.
Relevant piece of code:
SpiderScripts/ada/ada
Line 540 in 2a4a032
The text was updated successfully, but these errors were encountered: