Session storage refactoring#37992
Conversation
as soon as registerAuth refactored to restrict access to hapi Request, CookieSessionStorage won't work with hapi request directly
|
|
||
| class ScopedCookieSessionStorage<T extends Record<string, any>> implements SessionStorage<T> { | ||
| constructor(private readonly server: Server, private readonly request: Request) {} | ||
| constructor(private readonly server: Server, private readonly request: Readonly<Request>) {} |
There was a problem hiding this comment.
issue #33775 has point to restrict access to hapi Request object in registerAuth handler. thus we will operate KibanaRequest-ish object here
| } | ||
| } | ||
|
|
||
| export const toRawRequest = (request: KibanaRequest) => request[requestSymbol]; |
There was a problem hiding this comment.
this api shouldn't be exposed outside of http service
There was a problem hiding this comment.
suggestion: Because this is kind of sensitive, perhaps we should add a comment and mark it with @internal, it's easy to do a refactor like export * from './request' and accidentally expose this
| return { | ||
| asScoped(request: Request) { | ||
| return new ScopedCookieSessionStorage<T>(server, request); | ||
| asScoped(request: Readonly<Request> | KibanaRequest) { |
There was a problem hiding this comment.
As soon as #36509 is implemented we pass bound session storage to a consumer. There is an open question on how to restrict access to this API outside of the plugin boundaries.
#36509 (comment)
mshustov
added
Feature:New Platform
Team:Core
|
Pinging @elastic/kibana-platform |
|
Pinging @elastic/kibana-security |
|
From the consumption standpoint, this looks great! To be honest, I didn't realize that you could access the |
💔 Build Failed |
| } | ||
| } | ||
|
|
||
| export const toRawRequest = (request: KibanaRequest) => request[requestSymbol]; |
There was a problem hiding this comment.
suggestion: Because this is kind of sensitive, perhaps we should add a comment and mark it with @internal, it's easy to do a refactor like export * from './request' and accidentally expose this
|
|
||
| export interface SessionStorageFactory<T> { | ||
| asScoped: (request: Request) => SessionStorage<T>; | ||
| asScoped: (request: Readonly<Request> | KibanaRequest) => SessionStorage<T>; |
There was a problem hiding this comment.
I see we use Readonly<Request> in tests, but would a consumer of the API ever get access to a Request to pass it in here?
There was a problem hiding this comment.
yes, one of the next actions in #33775 is restrict access to hapi Request object, which is exposed via registerAuth #34631 (comment)
💔 Build Failed |
mshustov
force-pushed
the
issue-33775-session-storage-refactoring
branch
from
793cd31 to
c6fe0e1
Compare
joshdover
left a comment
joshdover
left a comment
There was a problem hiding this comment.
The main change here looks good. Not worried about any session leakage since SessionStorageFactory only exposes request-scoped session storage
💚 Build Succeeded |
💚 Build Succeeded |
* Kibana request keep a reference to raw request. used to bind hapi-cookie * CookieSessionStorage should work with KibanaRequest as soon as registerAuth refactored to restrict access to hapi Request, CookieSessionStorage won't work with hapi request directly * change registerAuth public api * adopt auth lifecycle tests * move lifecycle auth tests from integration to unit and adopt to new api. * mark toRawRequest as internal to prevent exposure * generate docs * reword test cases * mark Request internals in tsdoc
* Kibana request keep a reference to raw request. used to bind hapi-cookie * CookieSessionStorage should work with KibanaRequest as soon as registerAuth refactored to restrict access to hapi Request, CookieSessionStorage won't work with hapi request directly * change registerAuth public api * adopt auth lifecycle tests * move lifecycle auth tests from integration to unit and adopt to new api. * mark toRawRequest as internal to prevent exposure * generate docs * reword test cases * mark Request internals in tsdoc
5 participants
Summary
Current implementation passes bound to an incoming request session storage to
AuthHandler. This API doesn't allowregisterAuthcaller to use session storage outside ofAuthHandlerfunction.I changed api in the way when
registerAuthreturns sessionStorageFactory, therefore it can be used in any place ofregisterAuth. Security team needs this api to perform logout in route handlerthere are tons of changes in docs after I merged master and run
yarn core:acceptApiChanges. looks like the reason for this is@microsoft/api-documenterupdate #37759Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.[ ] This was checked for cross-browser compatibility, including a check against IE11[ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support[ ] Documentation was added for features that require explanation or tutorials[ ] This was checked for keyboard-only and screenreader accessibilityFor maintainers