github.com/treeverse/lakefs@v1.24.1-0.20240520134607-95648127bfb0/design/accepted/evict-user-from-auth-cache-on-reset-password.md

github.com/treeverse/lakefs@v1.24.1-0.20240520134607-95648127bfb0/design/accepted/evict-user-from-auth-cache-on-reset-password.md (about)

     1  ## The problem: 
     2  When a user logs in to lakeFS we save their credentials in the auth-cache. 
     3  This way, we avoid checking the user credentials through the DB on each call the user make.
     4  Currently, when users try to reset their password, their old password is still stored in the auth-cache, so they have to wait till it's evicted before they log in using the new password.
     5  
     6  
     7  ## The suggested solution: 
     8  The intuitive solution is just to evict the users from the auth cache when resetting their password. 
     9  The problem with this solution is that we might not necessarily have a centralized cache, so we might need to evict the user from every auth cache he exists in. 
    10  This is why the simpler solution here might be just to not use auth cache for email-password authentication. 
    11  This way, we still won't need to authenticate when users use API calls that use access-key and secret for authentication, and we won't need to do the effort of evicting the user auth from all the auth cache instances.