Authentication token in the attachment link in a card getting stale

I’m self hosting a taiga instance for the punk zine Razorcake and it have around 100 users on eight kaban boards. These users are not proficient with computers.

Two users complained they got an error (no permission) trying to download attachment. The only way I figured out how this happening is by staying inactive on a card page (I don’t know the lifespan of the token, I tried one hour) and trying to download without refreshing the page. I have reproduced the issue on all browsers on Windows and Safari for Mac(Strangely Safari download something but the downloaded file is garbage).

I have look at the HTML page and saw the attachment links contains the token. I don’t know the lifespan of the token. So I have deduced the lifespan of the token is less than an hour, the user was not doing anything on Taiga and stay on a card page for at least one hour and, finally, try to download an attachment. The user is still logged in Taiga. If he refresh the page then everything is working.

For me it seems to be a design flaw and not easy to fix. I don’t know if it is possible to do a wrapper in javascript on the link to refresh or get a new token while the users is still logged in Taiga.

For now, we are telling the users to refresh the page if they got this error.

Anyon has any comment on this?

Hi there,

If you installed using docker, there is an environment variable called ATTACHMENTS_MAX_AGE. That sets the time, in seconds, that a token is valid before the server refreshes it.

If you installed from source, the taiga-protected folder should have a .env file with a MAX_AGE variable. It works the same.

After changing the value, restart your services or recreate the containers.

Hope this helps,

Best regards!

1 Like