How can one invalidate Client tokens?

funkyfuture · March 9, 2023, 12:08pm

hello community,

a computer of one of our users was stolen. on that computer a Seafile client is installed and associated with a user account on a Seafile server instance that we are responsible for. the device’s mass storage isn’t encrypted and due to the device’s designated use-case the user account of the OS isn’t password protected.

now, obviously we would like to revoke the token that the client is authenticating with. is that possible with the web interface? or could anyone hint me at the significant parts of the database table?

has anyone ever formalized how such situation is handled within an institution?

funkyfuture · March 15, 2023, 7:20pm

i tried my luck by following the hints in this section of the manual.

the results are again rather confusing than helpful, here are my observations after i deleted the tokens that were associated with a specific client i had set up for testing:

for a while a non-related error message appeared for synchronized library in the client
the client still shows all libraries
after a while the error message disappeared and the green cloud was displayed again
the device isn’t listed in the RepoTokenPeerInfo table
when adding an object to the local folder, a related error message appears stating that the server refuses access
one can still download objects via the “Seafile-Filebrowser”
one can still click on the header to gain access to the web-interface w/o providing credentials
a re-sync of the library is successful

so far i have only superficially inspected the databases and can’t make out a table by name where client-related information might be stored beyond RepoTokenPeerInfo and RepoUserToken.

germeier · March 15, 2023, 6:37pm

Did you try: Login to the web interface => System Admin => Devices => Unlink

unlink

funkyfuture · March 15, 2023, 7:19pm

thanks for the hint, but that doesn’t seem to be available with the version 8.0.5 that we are running.

germeier · March 15, 2023, 8:50pm

Checked with a user account on a 7.1 pro server. => Linked devices => unlink

“works for me™”

astruck · March 16, 2023, 9:38am

Thanks for checking. Possibly a “pro” feature not available in the “community edition”…

germeier · March 16, 2023, 12:53pm

Downgraded my 9.0.15 pro test instance to 9.0.10 CE => I still can unlink devices!

Please be advised: the icon only appears as an “on mouse over” event.

astruck · March 16, 2023, 1:19pm

Thank you for the downgrade test, very appreciated!
In two different browsers I only get a grey highlight bar ‘on mouse over’ in the SysAdmin panel “Devices” . No trashcan whatsoever.

kumarhimanshu · March 24, 2023, 8:25pm

it’s a good idea for institutions to have a policy in place for situations such as these, so that all staff know what to do and how to handle the situation.

funkyfuture · March 27, 2023, 10:23am

i see that the two mouse-hovering related events are listened to on the tr element that contains the information about a particular device with the Firefox developer tools. yet, nothing happens on onMouseEnter. the registered listeners are from /media/assets/frontened/static/js/sysAdmin.chunk.….js and seemingly are supposed to toogle the display of one or more icons:

function() {
  i.setState({
    isOpIconShown: !0
  })
}

inspecting with the Chromium developer tools, no event listener seems to be attached to that element at all.