In order to prevent unnecessary sessions being created when we hit e.g. the health check endpoint (which the load balancer does regularly) we neede to re-configure the express middleware and routes so that the session is only used on endpoints that need to read or write session data.
This work was originally done on the cloud infrastructure branch, but I'd like it in dev first, so that the cloud branch only has infra code.
Testing / Acceptance Criteria
This is basically regression testing, though it would be useful for you to know what might be affected. The upshot is that only requests that require session data should be using the session cookie header: all chats, defence and model configuration, and switching levels as that refetches chat and email history from the session.
Firstly, check that
chat and email history are correctly preserved / reloaded when you refresh the page, and when you switch levels and back again
similarly, defence and model config changes should be preserved when you refresh or switch levels
If it works for one defence or model config, it should work for them all, so no need to exhaustively test all possibilities, just one of each should do.
Additionally, these endpoints shouldn't use the session cookie:
GET /health
GET /systemRoles
GET /documents
This means that when you hit those endpoints, you should not receive a "Set-Cookie" response header from the server. You can check that in the browser devtools network tab. In contrast, you should see "Cookie" request header and "Set-Cookie" response header for the chat and config endpoints.
In order to prevent unnecessary sessions being created when we hit e.g. the health check endpoint (which the load balancer does regularly) we neede to re-configure the express middleware and routes so that the session is only used on endpoints that need to read or write session data.
This work was originally done on the cloud infrastructure branch, but I'd like it in dev first, so that the cloud branch only has infra code.
Testing / Acceptance Criteria
This is basically regression testing, though it would be useful for you to know what might be affected. The upshot is that only requests that require session data should be using the session cookie header: all chats, defence and model configuration, and switching levels as that refetches chat and email history from the session.
Firstly, check that
Additionally, these endpoints shouldn't use the session cookie:
GET /health
GET /systemRoles
GET /documents
This means that when you hit those endpoints, you should not receive a "Set-Cookie" response header from the server. You can check that in the browser devtools network tab. In contrast, you should see "Cookie" request header and "Set-Cookie" response header for the chat and config endpoints.