authn: Resave an on-the-fly updated user object back to the stored session #480

tsibley · 2022-02-23T23:27:13Z

Rather than perpetually updating it on-the-fly with every request.

Resolves a downside of "authn: Upgrade existing sessions which pre-date
addition of authzRoles" (272ed09) and was simpler to implement than I
thought!

Related issue(s)

Related to #479 and #452.

Testing

I tested locally (which uses a file-based session store) by first acquiring an "old" session (i.e. logging in on an earlier version of the codebase), which contained a user object like:

$ jq '.passport.user | fromjson' sessions/lMG7Ra3e79V5LuefCy2ObeMzucT4q5u6.json  
{
  "username": "trs",
  "groups": [
    "test/owners",
    "blab-private",
    "seattleflu",
    "trs-test/owners",
    "test-private/editors",
    "blab",
    "inrb-drc"
  ]
}

then I restarted my local server with the code in this PR and made another request, after which my session contained the expected updates:

$ jq '.passport.user | fromjson' sessions/lMG7Ra3e79V5LuefCy2ObeMzucT4q5u6.json  
{
  "username": "trs",
  "groups": [
    "test",
    "blab-private",
    "seattleflu",
    "trs-test",
    "test-private",
    "blab",
    "inrb-drc"
  ],
  "authzRoles": [
    "test/owners",
    "blab-private/viewers",
    "seattleflu/viewers",
    "trs-test/owners",
    "test-private/editors",
    "blab/viewers",
    "inrb-drc/viewers"
  ]
}

…ssion Rather than perpetually updating it on-the-fly with every request. Resolves a downside of "authn: Upgrade existing sessions which pre-date addition of authzRoles" (272ed09) and was simpler to implement than I thought!

joverlee521

Very cool!

joverlee521 · 2022-03-07T18:19:41Z

src/authn/index.js

+  // the user object in the session via req.login().  The session will detect
+  // its been changed and save itself to the store at the end of the request.
+  app.use((req, res, next) => {
+    if (req.user?.[RESAVE_TO_SESSION]) {


Wow, didn't know optional chaining was a thing! 🤓

We couldn't use it here until the recent version bump from Node 13 → 14, so it's a nice perk of that! In the same family is also ??, the "nullish coalescing operator".

tsibley · 2022-03-08T20:03:06Z

Deployed and working:

Mar 08 10:50:03 nextstrain-server app/web.3 [verbose]	Upgrading groups and authzRoles of user object for trs
Mar 08 10:50:03 nextstrain-server app/web.3 [verbose]	Resaving user object for trs back to the session

tsibley force-pushed the trs/resave-updated-user-to-session branch from 0d2a4ea to 4225fcf Compare February 23, 2022 23:27

tsibley temporarily deployed to nextstrain-s-trs-resave-b8zho3 February 23, 2022 23:27 Inactive

tsibley requested a review from a team February 23, 2022 23:28

jameshadfield mentioned this pull request Feb 24, 2022

authn: Upgrade existing sessions which pre-date addition of authzRoles #479

Merged

joverlee521 approved these changes Mar 7, 2022

View reviewed changes

tsibley merged commit 029c0e6 into master Mar 8, 2022

tsibley deleted the trs/resave-updated-user-to-session branch March 8, 2022 18:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

authn: Resave an on-the-fly updated user object back to the stored session #480

authn: Resave an on-the-fly updated user object back to the stored session #480

tsibley commented Feb 23, 2022

joverlee521 left a comment

joverlee521 Mar 7, 2022

tsibley Mar 8, 2022

tsibley commented Mar 8, 2022

authn: Resave an on-the-fly updated user object back to the stored session #480

authn: Resave an on-the-fly updated user object back to the stored session #480

Conversation

tsibley commented Feb 23, 2022

Related issue(s)

Testing

joverlee521 left a comment

Choose a reason for hiding this comment

joverlee521 Mar 7, 2022

Choose a reason for hiding this comment

tsibley Mar 8, 2022

Choose a reason for hiding this comment

tsibley commented Mar 8, 2022