search

SlateFoundation / slate-spark

Spark addon for Slate
http://slatefoundation.github.io/slate-spark/
GNU Affero General Public License v3.0
2 stars 0 forks source link

Create a custom session handler #1

Open themightychris opened 8 years ago

themightychris commented 8 years ago

Plug a custom session handle to emergence that takes advantage of spark-fe's authentication to skip doing any database lookups

jmealo commented 8 years ago

@themightychris let's coordinate on this, I'd like PHP to be able to emit NATS messages to all of a user's sessions, or just the current session. Once we've done this we should be able to handle logouts and multiple tabs much more gracefully as well as unified logging.

We should also go over the fields I'm providing and making sure those fit your needs/vision for this as now would be the time to firm that up.

Here's an example of the incoming headers to the API.

{
    "host": "sandbox-school.matchbooklearning.com",
    "x-forwarded-proto": "https",
    "x-real-ip": "73.188.175.202",
    "x-forwarded-for": "73.188.175.202",
    "cache-control": "max-age=0",
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "upgrade-insecure-requests": "1",
    "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36",
    "accept-encoding": "gzip, deflate, sdch",
    "accept-language": "en-US,en;q=0.8",
    "cookie": "sandbox-school-s=d4b0fdc4f0c90ba781e2bd672ec126b1",
    "x-nginx-session": "{\"username\":\"ccross\",\"groupHandles\":\"north\",\"lastName\":\"Cross\",\"firstName\":\"Clarisa\",\"email\":\"ccross@example.com\",\"userId\":7,\"accountLevel\":\"Student\"}",
    "x-nginx-mysql-schema": "sandbox-school",
    "x-nginx-mysql-host": "10.128.109.167",
    "x-nginx-request-id": "lhI6p0wqhMe9MS7v"
  }

The session information is sent as x-nginx-session.

The concept here being to prevent spoofing, we strip any x-nginx-* headers coming into NGINX.

{
   "username":"ccross",
   "groupHandles":"north",
   "lastName":"Cross",
   "firstName":"Clarisa",
   "email":"ccross@example.com",
   "userId":7,
   "accountLevel":"Student"
}

_I've been dying to get anonymous/trusted (without an Emergence session) auth working so we can do health checks and intra-server communication, so that work should be tied in with supporting anonymous sessions. There's Lua code to do OAuth, but I'm thinking JWT would be more appropriate for what we want to do._