Skip to content

EVEREST-1925 Blocklisting mechanism #1293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: EVEREST-1923-new-logout-flow
Choose a base branch
from
Open

EVEREST-1925 Blocklisting mechanism #1293

wants to merge 14 commits into from

Conversation

oksana-grishchenko
Copy link
Contributor

@oksana-grishchenko oksana-grishchenko commented Apr 8, 2025
edited
Loading

EVEREST-1925 Powered by Pull Request Badge

Problem:
When user logs out, their token remains valid until its natural expiration time specified in the token itself. For the built-in Everest authentication the token lifetime is 24h which introduces security concerns even though the built-in authentication is not recommended for the production use.

Solution:
Implement the blocklisting mechanism according to the proposal

This PR does:

  • Add the new DELETE /session endpoint, which adds the current token information to the blacklist
  • On each request, check the blacklist and reject the request if the token is blacklisted. The check uses cashed data, so no overhead is added in terms of additional k8s requests.
  • Add mechanism to cleanup the blacklist - each time a new value needs to be blocklisted we cleanup outdated data from the list
  • Add mechanism to cache the blacklist. Initially, the idea was to use the controller-runtime cache, however since the blocklist secret is managed by everest-server only and is not touched by any external components like cli, there is no need to watch the secret changes using mechanisms like informer, because we know for sure when an update happens and can update the cache.
  • Add rate limit for the DELETE /session endpoint. The rate limiting rule which was applied to the POST /session endpoint is now applied to the DELETE /session as well, for more details see EVEREST-1157 Add /session rate limits #530

oksana-grishchenko
oksana-grishchenko commented Apr 8, 2025
View reviewed changes
docs/spec/openapi.yml
Comment on lines +62 to +67
'429':
description: Too many attempts
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
Copy link
Contributor Author

@oksana-grishchenko oksana-grishchenko Apr 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the endpoint already can return 429 status, but it wasn't reflected in the API spec

@oksana-grishchenko oksana-grishchenko changed the base branch from main to EVEREST-1923-new-logout-flow April 8, 2025 14:00
@oksana-grishchenko oksana-grishchenko changed the title EVEREST-1925 [WIP] Blocklisting mechanism EVEREST-1925 Blocklisting mechanism Apr 8, 2025
@oksana-grishchenko oksana-grishchenko marked this pull request as ready for review April 8, 2025 14:41
@oksana-grishchenko oksana-grishchenko requested a review from a team as a code owner April 8, 2025 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@oksana-grishchenko