Before we start implementing the endpoints described in the authentication section, I feel we need to have a discussion about the endpoints themselves. The thought behind designing the endpoints in this way was:
- User does a sign-in via
/sessions/new and if the remember_me flag is set, the backend sends back an encrypted persistent cookie, called auth_token
- This
auth_token is set to never expire, BUT does not control the current session.
- The
auth_token needs to be periodically exchanged for a session_id every X minutus, where X=the session timeout time.
- The UI will need to detect when the backend sends a
session expired response and make an API call to /session/refresh automatically.
- After decrypting the
session_id the backend should always check a server-side data store (could be the DB, or could be Redis) to ensure that the session is still alive. Just because the session_id was successfully decrypted, should not mean that the session is valid. Checking a server-side data-store allows the server to invalidate existing user sessions (eg. if one has to implement a "logout all other sessions" feature)
The obvious downside of this is the additional complexity. The upside is that something like this allows us to implement a "sudo mode", like Github.
Thoughts?
Before we start implementing the endpoints described in the authentication section, I feel we need to have a discussion about the endpoints themselves. The thought behind designing the endpoints in this way was:
/sessions/newand if theremember_meflag is set, the backend sends back an encrypted persistent cookie, calledauth_tokenauth_tokenis set to never expire, BUT does not control the current session.auth_tokenneeds to be periodically exchanged for asession_idevery X minutus, where X=the session timeout time.session expiredresponse and make an API call to/session/refreshautomatically.session_idthe backend should always check a server-side data store (could be the DB, or could be Redis) to ensure that the session is still alive. Just because thesession_idwas successfully decrypted, should not mean that the session is valid. Checking a server-side data-store allows the server to invalidate existing user sessions (eg. if one has to implement a "logout all other sessions" feature)The obvious downside of this is the additional complexity. The upside is that something like this allows us to implement a "sudo mode", like Github.
Thoughts?