Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: Session manager #1133

Merged
merged 14 commits into from
Oct 18, 2024
Merged

Feat: Session manager #1133

merged 14 commits into from
Oct 18, 2024

Conversation

realmayus
Copy link
Contributor

@realmayus realmayus commented Sep 4, 2024
edited
Loading

Closes https://github.com/corona-school/project-user/issues/1243.
Related frontend PR: corona-school/user-app#641

What was done

  • Introduce deviceIds: a persistent unique device identifier which we can use to track user sessions and map them to physical devices

  • Track deviceId in userSessions (change here) and secrets

  • Adds invalidateSessions parameter to tokenRevoke endpoint which removes all sessions that were created by the same deviceId that was used to create the token

    • if device id changes while using token, this is reflected in the token as well.
    • This also allows us to invalidate sessions that haven't used a device token to log in yet (i.e. they created their session through loginWithPassword)

Potential problems

Users can log in with an invalid device ID, as they get to choose them on their own. Therefore, they can evade getting their sessions invalidated by providing a different device ID than what is stored in the secret.
Is this a scenario we care about?

@realmayus
store secretID in SessionUser, add myCurrentSecretID field, set noSes…
57d5a1c 
…sion=true in roles resolver,
@realmayus
Merge branch 'refs/heads/master' into feat-session-manager
681ed34 
# Conflicts:
#	graphql/authentication.ts
#	graphql/user/fields.ts
@realmayus realmayus temporarily deployed to backend-feat-session-ma-hezuep September 4, 2024 10:34 Inactive
@realmayus realmayus mentioned this pull request Oct 8, 2024
Merged
Jonasdoubleyou
Jonasdoubleyou reviewed Oct 8, 2024
View reviewed changes
common/user/session.ts Show resolved Hide resolved
graphql/authentication.ts Outdated Show resolved Hide resolved
graphql/secret/mutation.ts Outdated Show resolved Hide resolved
common/user/session.ts Outdated Show resolved Hide resolved
prisma/schema.prisma Outdated Show resolved Hide resolved
Jonasdoubleyou
Jonasdoubleyou previously approved these changes Oct 10, 2024
View reviewed changes
@realmayus realmayus marked this pull request as ready for review October 10, 2024 14:22
@realmayus realmayus merged commit 59c45f9 into master Oct 18, 2024
2 checks passed
@realmayus realmayus deleted the feat-session-manager branch October 18, 2024 12:03
realmayus added a commit to corona-school/user-app that referenced this pull request Oct 22, 2024
@realmayus
Feat: Session manager (#641)
631c41b 
Closes corona-school/project-user#1243.
Related backend PR: corona-school/backend#1133

- Added session manager view accessible through settings
- Created `deviceId` which is persisted on the device 
- Added `SessionCard` component
- Adjust "user agent" of token usage

<img width="1249" alt="Screenshot 2024-10-21 at 11 03 58"
src="https://github.com/user-attachments/assets/591b8212-5654-4e2b-945c-5ae3a64b525d">
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jonasdoubleyou Jonasdoubleyou Jonasdoubleyou approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@realmayus @Jonasdoubleyou