cannot invalidate application tokens

Question

cannot invalidate application tokens

Closed this issue a month ago · 6 comments

disconn3ct commented 2 months ago

The problem

Users cannot invalidate application tokens

Did the issue persist even in safe mode?

Yes, it did persist

If you could not test in safe mode, please state why ("currently printing" is NOT an excuse!)

No response

Version of OctoPrint

1.10.0

Operating system running OctoPrint

dietpi

Printer model & used firmware incl. version

No response

Browser and version of browser, operating system running browser

No response

Checklist of files to include below

Systeminfo Bundle (always include!)
Contents of the JavaScript browser console (always include in cases of issues with the user interface)
Screenshots and/or videos showing the problem (always include in case of issues with the user interface)
GCODE file with which to reproduce (always include in case of issues with GCODE analysis or printing behaviour)

Additional information & file uploads

2024-04-28 11:02:45,911 - octoprint.server.api - ERROR - Error while executing SimpleApiPlugin appkeys
Traceback (most recent call last):
File "/mnt/dietpi_userdata/octoprint/.local/lib/python3.11/site-packages/octoprint/server/api/init.py", line 162, in pluginCommand
response = api_plugin.on_api_command(command, data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/mnt/dietpi_userdata/octoprint/.local/lib/python3.11/site-packages/octoprint/util/init.py", line 1686, in wrapper
return f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^
File "/mnt/dietpi_userdata/octoprint/.local/lib/python3.11/site-packages/octoprint/plugins/appkeys/init.py", line 381, in on_api_command
if user_for_key is None or user_for_key.user_id != user_id:
^^^^^^^^^^^^^^^^^^^^
AttributeError: 'User' object has no attribute 'user_id'

Answer 1 · 2024-04-28T15:05:14.000Z

This is probably a security issue in truth, but the barrier to entry is pretty high.

Answer 2 · 2024-04-28T15:44:07.000Z

I am unable to reproduce this issue, where in the system are you pressing the delete key on the application key?

Answer 3 · 2024-04-29T12:33:59.000Z

Username to User Settings to Application Keys. Click the trash icon and it pops up with the confirmation. Clicking 'proceed' results in a 500

The user is not an administrator (operator only). It looks like the administrator/initial user can delete tokens successfully.

(Edit to add: Sorry for the delay. The robot strongly hinted a human was not going to review this so I didn't check in.)

Answer 4 · 2024-04-29T13:42:55.000Z

Logged in as a user I can reproduce this. There must have gone something wrong during a refactoring.

Answer 5 · 2024-04-29T13:49:52.000Z

Fix is ready for 1.10.1 (even though the build currently fails for other reasons).

Answer 6 · 2024-05-15T13:40:06.000Z

Confirmed working. Thanks!