-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(auth): interact redirect #2832
Conversation
✅ Deploy Preview for brilliant-pasca-3e80ec canceled.
|
packages/auth/src/app.ts
Outdated
const s = await redis.hgetall(key) | ||
const session = { | ||
nonce: s.nonce, | ||
_expire: Number(s._expire), | ||
_maxAge: Number(s._maxAge) | ||
} | ||
return session |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this would lose anything from s
not explicitly set in session
. not sure we can assume the only properties set on the session in redis will be these. we could do session = { ...s, _maxAge: Number(s._maxAge), _expire: Number(s._expire)}
but that would have the same problem if the other fields are expected not to be strings (just like we saw with maxAge
).
I think a more common way of getting/settings is JSON.stringify(object)
on set and JSON.parse(string)
on get, which which would take care of converting these to numbers without manually reforming the session object. hashes were suggested to me originally when I implemented this but not sure it's the best way to do it now that we're running into this...
It does make sense that the string would cause the error. the type for session shows
So at least for the initial one it seems obvious that its working because there is no session being retrieved from redis and parsed incorrectly. And then for subsequent requests there are, so it fails. But not sure why the refresh would work... |
I ran some tests on this as well. It looks like the same session is used after the first interaction is complete. Q:
Logs:
What I found really confusing is that when I am getting redirected to the finish URL ( |
It didn't happen to me that often. That is what most confused me.
Same |
Quick recap after going over this with @raducristianpopa. While the error is being caused by To address Radu's question from above:
Basically yes, this is the intended behavior. If you visit the redirect from the same browser you should have the same cookie which will use the same session. For good measure we confirmed that on rafiki.money different users are generating different sessions. In addition we did an audit of security related cookie settings and found some things that could be improved and captured it here: #2844 |
@@ -181,7 +181,6 @@ async function startInteraction( | |||
|
|||
const trx = await Interaction.startTransaction() | |||
try { | |||
// TODO: also establish session in redis with short expiry |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
confirmed with Nathan this was just about moving sessions into Redis so its no longer a TODO
koa.use( | ||
session( | ||
{ | ||
key: 'sessionId', | ||
maxAge: 60 * 1000, | ||
signed: true | ||
}, | ||
koa | ||
) | ||
) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not used anywhere. looks like a potential copy/paste artifact from the recent(ish) factoring out of interaction routes into the startInteractionServer
('/grant/:id/:nonce/:choice'
, '/grant/{id}/{nonce}'
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
* fix(auth): interact redirect * fix(auth): session cookie not expiring in browser * fix(auth): session expiration time unit --------- Co-authored-by: Blair Currey <12960453+BlairCurrey@users.noreply.github.com>
Changes proposed in this pull request
maxAge
is invalid error by changing from hget/hset (saved as redis hashmap) to set/get (string) so that we can useJSON.parse
andJSON.stringify
. Saving theJSON.stringify
ied session preserves the datatypes so that we don't need to deal with manually re-forming the session and can just doJSON.parse
on read.null
fromget
when the session is not found.'/grant/:id/:nonce'
,'/grant/:id/:nonce/:choice'
)Context
Checklist
fixes #number