search

bengler / checkpoint

Centralized identity store and authentication broker for web applications. It supports a number of authentication mechanisms and is provided via a http-interface.
MIT License
31 stars 2 forks source link

Create session gives god session to user #37

Closed kytrinyx closed 11 years ago

kytrinyx commented 11 years ago

I expect the POST /sessions?identity_id=<some-id>&session=<a-god-session> to do the following:

  1. create a session for the identity id passed in
  2. return that session in the response
  3. not change the god session or identity used to create these.

This is what is happening:

  1. create a god session to experiment with:

./bin/checkpoint session create -r apdm -s zeus -g

curl -XGET "http://checkpoint.dev/api/checkpoint/v1/identities/me?session=zeus"

{"identity":{"id":2801155,"god":true,"created_at":"2012-12-11T09:15:43+01:00","realm":"apdm","provisional":true,"fingerprints":[]},"accounts":[]}
  1. Create an identity to experiment with:

./bin/checkpoint session create -r apdm -s odysseus

curl -XGET "http://checkpoint.dev/api/checkpoint/v1/identities/me?session=odysseus"

{"identity":{"id":2801156,"god":false,"created_at":"2012-12-11T09:20:12+01:00","realm":"apdm","provisional":true,"fingerprints":[]},"accounts":[]}
  1. Ok, we now have:
    • God ID: 2801155
    • God Session: zeus
    • User ID: 2801156
    • User Session: odysseus

So to create a new user session for our user:

curl -XPOST "http://checkpoint.dev/api/checkpoint/v1/sessions?identity_id=2801156&session=zeus"

{"session":{"identity_id":2801156,"id":"zeus"}}

Notice that we have the user identity with the god session. I would have expected a completely new, randomly generated session.

Now what do we know about our god:

curl -XGET "http://checkpoint.dev/api/checkpoint/v1/identities/me?session=zeus"

{"identity":{"id":2801156,"god":false,"created_at":"2012-12-11T09:20:12+01:00","realm":"apdm","provisional":true,"fingerprints":[]},"accounts":[]}

The god session has been given to the non-god user.

He still has his old session, too.

curl -XGET "http://checkpoint.dev/api/checkpoint/v1/identities/me?session=odysseus"

{"identity":{"id":2801156,"god":false,"created_at":"2012-12-11T09:20:12+01:00","realm":"apdm","provisional":true,"fingerprints":[]},"accounts":[]}
kytrinyx commented 11 years ago

It's not open until it's in master.