Server side sessions #1673
Merged
Server side sessions #1673
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lfleischmann
requested changes
Oct 14, 2024
frontend/elements/src/components/accordion/ListSessionsAccordion.tsx
Outdated
Show resolved
Hide resolved
lfleischmann
requested changes
Oct 14, 2024
lfleischmann
approved these changes
Oct 15, 2024
adilkadivala
pushed a commit
to adilkadivala/hanko
that referenced
this pull request
Oct 27, 2024
* feat: add server side sessions * feat: add lastUsed & admin endpoint * feat: add session list to elements * fix: fix public session endpoint * chore: only store session info when enabled * build: update go mod * feat: add translations * test: fix tests * feat: change path * feat: return userID on session validation endpoint * feat: move all session endpoints to public router * fix: add missing translation * fix: add missing structs * chore: align session persister with other persisters * fix: use correct translation label * chore: add db validator to session model * feat: create server side session from cmd * fix: fix review findings
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds server side sessions. Currently the sessions are only a JWT which does not allow to revoke any session before the JWT expiration time is over. This PR adds a
session_idto each JWT and stores them in the database, when server side sessions are enabled. Only when a thesession_idfrom a JWT is found in the database a session is valid.Now a service that uses Hanko must use the new session check endpoint in the admin API in order to know if the session is valid or revoked. This session check endpoint can also be used when server side sessions are disabled, then it only verifies that the signature and expiration time of JWT are valid.
When server side sessions are enabled the profile shows a list of active sessions which the user can revoke, except for the current one.
Implementation
New config options are added to enabled sever side sessions and also to limit the active session a user can have. Each JWT gets a new parameter
session_idwhich is stored in the database along with the userAgent and the ip address. It is also stored when the session was last used and is updated every time the profile flow or the session check endpoint from the admin API is used.When a user already has a non server side session and server side sessions are enabled, that session is not valid anymore as the
session_idis only stored when server side sessions are enabled.Tests
Enable server side sessions and login on different browsers. Try to revoke sessions from other browsers and check that you are not logged in anymore.
Todos