UpstreamDataInc / goosebit

A simplistic, opinionated remote update server implementing hawkBit™'s DDI API.
https://goosebit.rtfd.io
Apache License 2.0
18 stars 3 forks source link

Session does not seem to be shared between gunicorn workers #73

Closed easybe closed 2 months ago

easybe commented 2 months ago

This can be seen when running e.g. with:

gunicorn --workers 8 --worker-class uvicorn.workers.UvicornWorker --bind 0.0.0.0:8080 goosebit:app

I assume the session data needs to be stored in the DB.

b-rowan commented 2 months ago

The solution to this is a static SECRET value. If that's set then it can be validated across all workers, as the session is just a JWT.

easybe commented 2 months ago

OK, yes that seems to work, thanks.

Still, I wonder: Isn't there some third-party library that could replace goosebit/auth/__init__.py?

jameshilliard commented 2 months ago

Another option may be to generate and store the secret in the database on startup if one doesn't exist and use whatever is in the database if it does exist.

b-rowan commented 2 months ago

Another option may be to generate and store the secret in the database on startup if one doesn't exist and use whatever is in the database if it does exist.

I think the idea is to make it user configurable in the config, but I like this idea otherwise.

jameshilliard commented 2 months ago

I think the idea is to make it user configurable in the config, but I like this idea otherwise.

Maybe use the database if not explicitly configured in settings?

easybe commented 2 months ago

I agree. It is not uncommon to have such a secret in the config. Even though I like the DB solution, it feels like unnecessary complexity. So, I would say, keep it simple (for now).

b-rowan commented 2 months ago

Ok, so I think we have secret be an option in the config, if it doesn't exist we generate one (temporarily, works for testing). This allows it to be passed as an env variable as well in the case of gunicorn, so you can generate it directly into the env variable when running if you want to randomize it.

jameshilliard commented 2 months ago

Still, I wonder: Isn't there some third-party library that could replace goosebit/auth/__init__.py?

Maybe fastapi-users?

b-rowan commented 2 months ago

Still, I wonder: Isn't there some third-party library that could replace goosebit/auth/__init__.py?

Maybe fastapi-users?

This seems distinctly worse, no support for tortoise-orm, and just as complex to set up.

jameshilliard commented 2 months ago

This seems distinctly worse, no support for tortoise-orm, and just as complex to set up.

Yeah, def a bit more complex, was just thinking might have some useful features, think it used to support tortoise-orm but that integration seems to be unmaintained.