Comments (8)
That's true, 0.5.2 was a security fix and 0.5.3 fixed rare encoding problems. There isn't currently any migration code
from akka-http-session.
I'd be happy to add the migrations. How about we add a config like
akka.http.session {
...
token-migration {
v0-5-2 {
enabled = false
}
v0-5-3 {
enabled = false
}
}
}
Then we simply allow the old deserialization format if the config is enabled.
There's probably a way to safely accelerate the token turnover in certain cases, but I haven't familiarized myself with the codebase yet and don't want to complicate things.
What do you think?
from akka-http-session.
Sounds good! So if the migration is enabled, an attempt would be made to deserialize using the old format, and if that works, set the token to the new one?
from akka-http-session.
When you say "set the token to the new one" do you mean attempt to update the client by sending the new cookie/header back in the response? That's what I had referred to, but am a little concerned about doing essentially a write-session op as a side effect of a read-session. I can certainly look into it, but again, haven't dug into this implementation yet. Hoping to get to it later this week.
from akka-http-session.
Yes, I think the goal is to migrate existing users to the new format?
Get-session sometimes causes a new session to be established - if "remember me" is used.
from akka-http-session.
Right, though even without explicitly updating the tokens, they will automatically migrate as they expire and new tokens are created. If we imagine devs will leave the migrations enabled long enough to migrate all existing tokens - the max of the session or refresh token expiry period - then it wouldn't make a practical difference, if I understand correctly.
Nonetheless I agree it would be nice to accelerate the turnover. Since the "remember me" feature already works that way, it shouldn't be surprising to clients (who may have some custom header-based session management).
from akka-http-session.
Pull request here #55
from akka-http-session.
Fixed in 0.5.4
from akka-http-session.
Related Issues (20)
- requireSession breaks CORS HOT 3
- RefreshTokenStorage schedule documentation HOT 5
- Infinite loop in RefreshTokenManager HOT 3
- Question: can Cassandra be used as "session"? HOT 2
- Question Regarding unresolved dependency: com.softwaremill#akka-http-session_2.12;0.5.2: not found HOT 2
- on secret management HOT 1
- Redirect unauthenticated request HOT 1
- Please support Java 9! HOT 2
- Upgrade to akka-stream 2.5 HOT 2
- RSA signing for JWT HOT 1
- Build for Scala 2.13.0 HOT 1
- JWT: Add support for `iss` and `aud` claims HOT 1
- issue refreshing token HOT 7
- Allow separate access/refresh transport
- CSRF protection can be bypassed with empty header and empty cookie HOT 1
- Upgrade to akka streams 2.6.x HOT 2
- CSRF protection can be bypassed HOT 10
- Add SameSite attribute to Cookies HOT 1
- create pekko equivalent? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from akka-http-session.