Open nelsonic opened 5 years ago
This is the next logical thing to tackle in Auth. After PR #43 is merged. 👍
Sessions working as expected:
session.end
updated in AuthWeb.AuthController.logout/2
which in turn invokes Auth.Session.end_session/1
PR: #159 assigned for review. :shipit:
Context
People expect that "Login" (Authentication / Authorisation) "just works ™". Nobody wants to have to re-authenticate each time they use a Web App1. Being forced to re-authenticate creates usage friction and in some cases abandonment. When Login fails it can be "catastrophic" to any app, getting it right is worth the investment!
Story
As a "user" (person using a web application) I want to be able to login once and have the App remember me for as long as I'm using the app. So that I don't have to keep logging in each time I use the App.
We don't want to force people to constantly login to the App because it gets "old" very fast and will result in people being less effective with their time (wasting time logging into apps is a "time tax" nobody wants to keep paying!)
sessions
Schema[x]
inserted_at
- (standard ecto/phoenix schema type::naive_datetime
) when a record is inserted. Automatically set by the database which ensures record integrity. This is the start of the session.cid
(Primary Key. Ecto type:string
) - the hash of the data being inserted (_the Ectochangeset
minus theinserted_at
timestamp_) such that we know that a record is unique and verifiable.[x]
session_id
- (Ecto type:string
) - the hash of the data being inserted (_the Ectochangeset
minus theinserted_at
timestamp_) such that we know that a record is unique and verifiable.[x]
person_id
- (Foreign Key:Auth.People.person_id
, Ecto type:string
) A reference to the person record. Note: as illustrated in thepeople
schema example https://github.com/dwyl/auth/issues/32 theperson_id
can refer to an anonomyous (unregistered) person. The same session will continue after they register, this allows for traceability through the analytics/user-journey.[x] User Agents Table
[x]
device_id
- the unique identifier of the device including browser user agent and IP Address. this is an irreversible hash which is checked on each request to reduce the chance of session spoofing.[x]
ip_address
- (Ecto type:binary
, Use ) the device IP used for securing the session.[x]
end
- (Ecto type::naive_datetime
) the time when the session ended (usually via "logout" in the case of a registered/logged-in person).session
exampleThe row2 number in the table below corresponds to the action taken.
prev
when the session starts.end_at
column.inserted_at
cid
(PK)session_id
person_id
ip_address
2end_at
device_id
prev
1541609554
null
null
1541609554
null
1541609876
1541609876
device_id
You may have noticed in the
sessions
schema above that a session record includes a reference todevice_id
this is an attempt2 to track which device is being used for a particular session so that we can provide a better service.3We have implemented this Device data "anonymisation" and hashing before in: https://github.com/dwyl/hits#implementation-detail and https://github.com/dwyl/hits-elixir So we can easily get the
user_agent
andip_address
data from theconn
Todo
We need a sophisticated approach to session management that will ensure both flawless UX and excellent security for all people using our App on any device. These are the areas we need to cover:
[x] Anonymous Sessions - for people who are curious about the App/Site but have not yet registered their email address to persist their interactions. ... going to come back to this later!
[x] Registration with Email address.
[x] Verification - email address is verified by clicking a link sent by email.
[x] Re/Set Password - once the person has verified their email address we ask them to define a password so they can login again. This is the same form to be used in the case where the person cannot remember their password and wants to re-set it. (all that changes is the copy)
[x] Login - the person logs into the App/Site using an email address and password. If either of these two are not present in the
people
table (or invalid in the case when a password is incorrect), then login will fail with the appropriate (friendly) message. If email and password are valid, show the page they were attempting to reach or their "dashboard".[x] Logout - destroy the session on their machine/device and set the
end_time
insessions
table. #158Each one of these checklist items will need it's own issue/story with UX/UI flow & logic. I will get these opened shortly. ⏳