Skip to content

Replace current inactivity process with new session idle process #12552

New issue
New issue
Open
#15137
Open
Replace current inactivity process with new session idle process#12552
#15137
Assignees
aalves08
Labels
JIRAQA/dev-automationIssues that engineers have written automation around so QA doesn't have look at thisRFCOriginated or linked to an RFCarea/dashboardkind/enhancementpriority/0release-note
Milestone
v2.13.0
@richard-cox

Description

@richard-cox
richard-cox
opened on Nov 8, 2024

RFC: Add ability to configure session idle timeout

Describe the solution you'd like

  • Currently UI has a local, browser based inactivity process where after a configurable amount of time we show a modal with a countdown. On reaching 0 the UI will close sockets and only allow the user to refresh the page to continue
  • The concept of idle state will now be controlled via the backend and we need to update the above process with it
    • Remove the performance configuration section for the old inactivity process
      • For a minor release cycle (?) replace content with banner to indicate new process and location of settings
    • Add a new setting to handle updates to auth-user-session-idle-ttl-minutes
      • We need to make the description for it and auth-user-session-ttl-minutes crystal clear
        • auth-user-session-ttl-minutes - "Custom TTL (in minutes) on a user auth session. This is the maximum duration a session can stay alive regardless of user activity in a browser. This should be larger than auth-user-session-idle-ttl-minutes"
        • auth-user-session-idle-ttl-minutes - "Custom idle TTL (in minutes) on a user auth session. This is the maximum duration a session can stay alive when there is no user activity in a browser. This should be larger than auth-user-session-ttl-minutes"
    • When the user interacts with the UI they are classed as active and we update the backend
      • This should happen at log-in (when the session starts)
      • This should be debounced by the idle timeout (to avoid spam)
      • To update backend
        • Find token associated with current session
        • POST to a new endpoint /v1/cattle.io.ext.useractivity 
          • {
  "apiVersion": "ext.cattle.io/v1",
  "kind": "UserActivity",
  "spec": {
    "tokenId": "token-xxxxx"
  }
}
          • tokenId comes from the /v3/tokens resource associated with the current session
          • The response will contain the date + time the session is set to expire on
            • status.currentTimeout
    • We should track the current idle timeout time and when approaching it
      • When x (tdb) time away from the auth-user-session-idle-ttl-minutes we make a GET request to /v1/cattle.io.ext.useractivity to fetch the latest currentTimeout value.
      • If this has changed - we need to restart the process to trigger x time away from the new timeout date / time
      • If this is the same
        • stop watching for user interaction
        • show the idle modal with countdown
        • if user specifies they're here POST to /v1/cattle.io.ext.useractivity as per user activity and close modal
        • if no user action in theory we should just be able to refresh page and user taken to log in (needs confirming)

Additional context
SURE-2982

Dependent on rancher/rancher#45931

Metadata

Metadata

Assignees

Labels

JIRAQA/dev-automationIssues that engineers have written automation around so QA doesn't have look at thisRFCOriginated or linked to an RFCarea/dashboardkind/enhancementpriority/0release-note

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions