This was initially introduced as a temporary flag to be able to get more
information. But if we get this kind of issue again, we'll need
something like this logging to determine the source of the session
collision. Rather than removing the code and adding it back in later,
convert this temporary switch into an opt-in setting that can be used
again in the future.
BREAKING_CHANGE: 'safe_session.log_request_user_changes' switch no
longer exists and is replaced with the 'LOG_REQUEST_USER_CHANGES' django
setting which defaults to 'False'
Previously they also had to have a valid JWT cookie which led to a weird
corner case where a user was logged in but still showed the login form
resulting in some confusion and odd behavior.
This change gives precedence to the session token to determine whether
or not someone is logged into the LMS but ensures that if you go through
the login flow, you refresh your JWT cookies. This should not cause any
breakage for MFE flows that might redirect to the LMS login page since
the JWT would get refreshed if it's out of date but the session is
valid.
Six frames was not enough because for DRF views the request gets wrapped
in a proxy object and so we need more of the stack to see what part of
the code we're in that actually invokes the use change.
Exposed the Date header on the outline api so clients can accurately compute times relative to the dates returned by the API; this was previously done with the course API (#26979)
Browser time is notoriously unreliable for this, especially for a Learner-facing countdown call-to-action based on the access expiration date. (REV-2126)
Using the Date header for this allows the client to make use of information that is already sent, does not require additional calls nor modifying the API, and could be generalized to more or all our APIs without modifying them.
A variety of updates were made to improve the toggle documentation:
* Added comments to help ensure that the waffle(), waffle_switches(),
waffle_flags() anti-pattern won't be contagious (copied).
* Some minor toggle_description updates.
* Removed empty toggle_target_removal_date annotations for
non-temporary toggles.
* Removed empty optional toggle_warnings annotations.
* Removed empty optional toggle_tickets annotations.
* Removed deprecated toggle_category, toggle_status,
and toggle_expiration_date annotations.
* Fixed some indents, use cases, and implementations.
ARCHBOM-1721
When a user logs out, there are warnings logged right now because the
session user_id mismatches(it becomes None on logout). Previously we
would log the request mismatch on debug and the session mismatch as
normal.
This change will result in us logging nothing if the session change is
not abnormal.
xblock information was not being translated correctly when using the blockstore runtime. This makes the i18n_service block-specific so it can look for additional i18n files that can be installed with the XBlock
Adds a command to create an API connection to credentials for testing
program certificates on devstack. This command is not meant to be ran
manually, and will be included in a provisioning type script that will
be added later.
Waffle flags are useful for gradual rollout but that's not possible this
high in the middleware because a lot of the data needed (request.user)
to partition incoming requests is not availabale this high in the
middleware.
Convert this to a WaffleSwitch which will be safer to operate.
Also increase the number of frames in the stack to print per change.
Printing just 1 did not provide enough info because DRF requests wrap
WSGI requests and have a setter proxy. It will be useful to figure out
how they do this in case it's better that what we're doing in the safe
sessions middleware.
Ticket: https://openedx.atlassian.net/browse/ARCHBOM-1718
The change is behind a WafleFlag and can be turned on to log every time
the `user` attribute of an instrumented request changes. This will
significantly increase log volume so it shouldn't be left on all the
time but can be turned on to quickly debug issues related to sessions.
Ticket: https://openedx.atlassian.net/browse/ARCHBOM-1718
For some SAML providers, learners are redirected to MFE and breaking
the flow. Check for running pipeline and if the provider is a SAML
provider keep them on FE.
VAN-425
If edxloggedin cookie is not present but the user is authenticated;
user is redirected to authn MFE and then back to dashboard instead
of the desired redirect URL (e.g. finish_auth) resulting in learners
not enrolling into the courses.
VAN-415
We were attempting to add course overrides twice to objects returned in
the toggle state report view. This was causing a TypeError (and thus a
500 error) because the second time, we were attempting to add entries to
an incorrect object.
This issue was not caught by unit tests because we were not testing the
view with WaffleFlagCourseOverride objects. This commit adds a unit test
to prevent future errors.
This is another fix for PR #27108.
This commit adjusts a few values in our discussions configuration APIs to make them match what the frontend needs, as well as to more accurately reflect the providers available today.
- The `active` provider ID is expressed as None if it doesn’t exist
- The “cs_comments_service” provider has been renamed “legacy” - when we implement the new discussions micro-frontend, we’ll also have a separate provider for that, so they can’t both be “cs_comments_service”. Also, cs_comments_service is such a bad name for anything.
- The hard-coded providers list in get_supported_providers now includes ‘legacy’ and ‘piazza’, our two known providers. This list will be updated as more known providers come online.
- The PROVIDER_FEATURE_MAP has similarly been updated.
Part of this task: TNL-8093
BREAKING CHANGE: Remove WaffleSwitchNamespace, WaffleSwitch, WaffleFlagNamespace,
and WaffleFlag from waffle_utils, in favor of the Legecy* classes
in edx-toggles. Although this is a breaking change, we have
preemptively removed all known uses.
BD-21
* temp: remove false positives on safe sessions middleware
This is a temporary fix to deal with false positives in the system due
to the masquerading feature. Long term we may not want to rely on
knowing about how masquerding works in the safe sessions middleware and
instead manage masquerding of the requset user in some other way.
Co-authored-by: Robert Raposa <rraposa@edx.org>
The toggle state report could not be shared with other IDAs. Here we make use
of the newly available report from edx_toggles, and customize it to add data
from WaffleFlagCourseOverrideModel.
If this happens, it's usefule to know what main view code was being
targetd so that we can more easily investigate what might have caused
this issue.
Add a new custom attribute 'safe_sessions.user_mismatch' to find
requests that had this issue in our monitoring system.
The `error_expected` custom attribute used to contain
both the class name and the error message. This had
the following issues:
* Combining data in the same custom attribute limits
the ability to query.
* The additional error class and message data is only
needed for ignored errors, since this data isn't
available elsewhere.
The following changes were made:
* `error_expected` will always have the value True
if present.
* `error_ignored` no longer exists.
* `error_ignored_class` will contain the error module
and class for ignored errors.
* `error_ignored_message` will contain the error message
for ignored errors.
ARCHBOM-1708
