Open crimson-knight opened 1 year ago
robacarp
commented
1 year ago Good changes. You'll certainly want to make the relationship between Users and Session tokens a "has many" however you'd like to go about that. I don't really think there's a need to make the session token anything but a secure random string.
crimson-knight
commented
1 year ago @robacarp that's a good point of refinement, I was shooting for a single session allowed at a time, but that doesn't make sense even for my own use case, ha!
Since I'm building a mobile app, I want multiple sessions up to the device limit. So that's definitely a has_many kind of relationship.
So far I have the single token & single session working and using an in-memory cache that is managed by the Amber::Server class, but it's a basic Hash(String, User) setup. Which will probably get too inefficient at volume. because the keys are not sorted at first.
The current authentication provided by the generator is too basic. The current auth uses the user_id as the session ID. Let's improve the generator to do the following:
session_random_tokenwith typeVARCHAR&session_expiration_datewith typeTIMESTAMPsession_token= used_id + session_random_tokensession_tokenand set the token into an in-memory data storeauthpipe from using a DB query to check for the existing user_id, check the in-memory data store for the session token that is provided.The in-memory data store is probably best represented as a
Hash(String, User)The
session_tokenis going to require some parsing in order to do a database lookup in the event that the session token is not found. The idea here is that thesession_tokenshould be"#{session_random_token}:#{random_string}"whererandom_stringis a randomly generated 64 character long string of mixed uppercase, lowercase and numbers.