Do session keys have a timeout/lifetime?

[uedvt359]

We have a long runnning process (a small rest api that generates device config files). This process fetches a session key on startup and keeps using it forever (until it is restarted). Since switching from DanSheps' plugin to this one, we noticed that our restapi sometimes fails with 400 Bad Request: ['Invalid session key.'] and needs to be restarted to work again.

Q: Are session keys invalidated after some time? can this be turned off or is the length at least configurable?

[uedvt359]

@abhi1693, can you please share you insight on this?

[abhi1693]

Can you show how you are calling the API? Because there isn't any timeout as such unless you are using it via the browser cookie.

If you are using the new API, then you can refer to the serializer here to ensure you are passing the correct payload.

https://github.com/Onemind-Services-LLC/netbox-secrets/blob/master/netbox_secrets/api/serializers.py#L98

[uedvt359]

on startup of our Flask app, we call this code (simplified):

        session_key = (
            self.http_session.post(
                "https://my.netbox.tld/api/plugins/secrets/session-keys/",
                headers={
                    "accept": "application/json",
                    "authorization": "Token {}".format(self.token),
                },
                json={"private_key": private_key.strip("\n"), "preserve_key": True},
            ).json()["session_key"]
        )
        self.http_session.headers.update({"X-Session-Key": session_key})

This session_key gets attached to a requests Session (http_session), and used for every request to the netbox api. this works for some undetermined amount of time, and then the session key becomes invalid.

[abhi1693]

Is it possible that another user is calling the endpoint with the same token? That may invalidate the session key if preserve_key is not used

[uedvt359]

we use the above code everywhere we use secrets, so preserve_key will always be used

[abhi1693]

@kprince28 Have you seen this issue or know how to reproduce? Because this is not an issue on my setup.

[uedvt359]

by pure luck we managed to identify when this bug occurs: if a user adds their session key, it invalidates all other user's session keys!

here is the relevant commit:

fd2a22a#diff-9990b46add1ad8ae1af4d8e4ee578166248d807cff0d20ba7724fa400e71388dL187-R228

(note that this commit, descriptively named "misc cleanup", modifies 26 files, and is contained in a pull request with 42 commits! it's completely unsurprising that bugs get introduced when code is pushed in such an unauditable way and without any review attempts at all)

I also found out that this bug has been fixed in the meantime, in 1d00380.