Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-1417

deviceauth: accepting a particular auth set should automatically reject all other out sets of that device



    • Type: Story
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 1.2.0, 1.1.1
    • Fix Version/s: None
    • Labels:


      When accepting an authorization data set of a particular device, other auth sets should be invalidated (i.e. rejected). This does not happen now, and it's possible that the device will obtain a token using and older auth set (eg. device does a key rotation, the new auth set gets accepted, but the device will still be able to get a token using the older key).

      This work covers:

      • fixing deviceauth logic, steps:
        1. list all auth sets
        2. update db and reject all auth sets but the one that got accepted
        3. update db and accept the remaining auth set
      • trying to minimize the impact of not having transactions at DB level
      • adding migration
        • verify that timestamp works and if so migration shall switch all but the most recently updated accepted auth sets to rejected state
        • otherwise we should discuss how to identify the auth set that should be accepted




            • Assignee:
              mborzecki Maciej Borzecki
              mborzecki Maciej Borzecki
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created:

                Zendesk Support