-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat!: Issue JWT for session pre-authentication #1927
Conversation
API Changelog 4.9.1.dev2+gcd986def |
This comment has been minimized.
This comment has been minimized.
0cc22d9
to
3f102c9
Compare
This comment has been minimized.
This comment has been minimized.
3f102c9
to
f61f8be
Compare
This comment has been minimized.
This comment has been minimized.
f61f8be
to
4517e50
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1927 +/- ##
==========================================
+ Coverage 84.73% 84.80% +0.06%
==========================================
Files 208 211 +3
Lines 6785 6875 +90
Branches 466 472 +6
==========================================
+ Hits 5749 5830 +81
- Misses 874 879 +5
- Partials 162 166 +4 ☔ View full report in Codecov by Sentry. |
This comment has been minimized.
This comment has been minimized.
4517e50
to
18231ce
Compare
This comment has been minimized.
This comment has been minimized.
18231ce
to
df53de3
Compare
This comment has been minimized.
This comment has been minimized.
df53de3
to
7b43e38
Compare
This comment has been minimized.
This comment has been minimized.
7b43e38
to
3007a67
Compare
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Instead of the non-structured session token, issue a JWT containing `session_id`, `user_id`, `user_name` and `user_role`. More claims will be added in the future. During session connection, the backend issues a signed JWT token. The private key is auto-generated in the backend (if it doesn't exist) and can be exchanged via new CLI endpoints. The JWT is validated automatically for all requests to HTTP-based sessions. The JWT can be read from the `ccm_session_token` cookie and can be trusted by sessions. It may be used to extract user or session information in the sessions. The validate_token endpoint doesn't require an active database session anymore, reducing network traffic and improving the response times. This effectively makes sessions faster and improved stability. BREAKING CHANGE: Users with active sessions have to reconnect to their sessions after the update has been rolled out. We recommend to install the update when there are no active sessions.
3007a67
to
99fe4b6
Compare
Quality Gate passedIssues Measures |
Instead of the non-structured session token, issue a nested JWT containing
session.id
,user.id
,user.name
,user.email
anduser.role
. More claims will be added in the future.During session connection, the backend issues a signed JWT token. The private key is auto-generated in the backend (if it doesn't exist) and can be exchanged via new CLI endpoints.
The JWT is validated automatically for all requests to HTTP-based sessions. The JWT can be read from the
ccm_session_token
cookie and can be trusted by sessions. It may be used to extract user or session information in the sessions itself.The validate_token endpoint doesn't require an active database session anymore, reducing network traffic and improving the response times. This effectively makes sessions slightly faster.
One of the best changes is for our developers: It's finally possible to reach sessions from the live-refresh environment again :)
BREAKING CHANGE: Users with active sessions have to reconnect to their sessions after the update has been rolled out. We recommend to install the update when there are no active sessions.