Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server side sessions #1673

Merged
merged 18 commits into from
Oct 15, 2024
Merged

Server side sessions #1673

merged 18 commits into from
Oct 15, 2024

Conversation

FreddyDevelop
Copy link
Contributor

Description

This PR adds server side sessions. Currently the sessions are only a JWT which does not allow to revoke any session before the JWT expiration time is over. This PR adds a session_id to each JWT and stores them in the database, when server side sessions are enabled. Only when a the session_id from a JWT is found in the database a session is valid.
Now a service that uses Hanko must use the new session check endpoint in the admin API in order to know if the session is valid or revoked. This session check endpoint can also be used when server side sessions are disabled, then it only verifies that the signature and expiration time of JWT are valid.

When server side sessions are enabled the profile shows a list of active sessions which the user can revoke, except for the current one.

Implementation

New config options are added to enabled sever side sessions and also to limit the active session a user can have. Each JWT gets a new parameter session_id which is stored in the database along with the userAgent and the ip address. It is also stored when the session was last used and is updated every time the profile flow or the session check endpoint from the admin API is used.

When a user already has a non server side session and server side sessions are enabled, that session is not valid anymore as the session_id is only stored when server side sessions are enabled.

Tests

Enable server side sessions and login on different browsers. Try to revoke sessions from other browsers and check that you are not logged in anymore.

Todos

  • The sessionExpired event from the SDK does not react when a session is revoked on the server.

@FreddyDevelop FreddyDevelop marked this pull request as ready for review October 9, 2024 14:52
backend/persistence/persister.go Outdated Show resolved Hide resolved
backend/persistence/models/session.go Outdated Show resolved Hide resolved
backend/cmd/jwt/create.go Outdated Show resolved Hide resolved
backend/flow_api/handler.go Show resolved Hide resolved
frontend/elements/src/pages/ProfilePage.tsx Show resolved Hide resolved
backend/dto/session.go Outdated Show resolved Hide resolved
@FreddyDevelop FreddyDevelop merged commit 9dbc625 into main Oct 15, 2024
8 checks passed
@FreddyDevelop FreddyDevelop deleted the feat/server-side-sessions branch October 15, 2024 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

2 participants