mythz
commented
3 years ago IUserSessionSourceAsync should not be populated from the current Request (which in JWT Requests would return a partial expired session), its purpose is for when you're not using an Auth Repository to return a populated session with the latest user info from your custom user data source. This up-to-date user info is what's used to populate the new partial session encapsulated in the newly issued JWT Bearer Token.
The JWT Payload specifies what info is embedded in JWT Tokens:
- sub <-
session.UserAuthId - email <-
session.Email - given_name <-
session.FirstName - family_name <-
session.LastName - name <-
session.DisplayName - preferred_username <-
session.UserName - picture <-
session.ProfileUrl - roles <-
session.Roles - perms <-
session.Permissions
We are trying to implement a
IUserSessionSourceAsyncthat validates the user and creates a new session, however, it is proving difficult to implement.To create a new session with
the current request is required, and it is not available to
GetUserSessionAsync.I have tried to use
var request = HostContext.GetCurrentRequest();to lookup the request, but it fails with the errorLooking at the source code, the current request is always available when
GetUserSessionAsyncis called, ref. https://github.com/ServiceStack/ServiceStack/blob/cae6c6a64923c227f1a9570099563ef720725e90/src/ServiceStack/RequestExtensions.cs#L303I think that
GetUserSessionAsyncshould have had another signature altogether, exposing the always available request. I.e.Having that would make it trivial to implement.
And of course having another interface
IUserSessionSourceWithRequestAsyncthat does add the request would solve it too, but I don't think it makes sense to create sessions without the request, in principle.