No session id in rpc context if it's sent over http

heroiclabs / nakama

Distributed server for social and realtime games and apps.

https://heroiclabs.com

Apache License 2.0

8.85k stars 1.08k forks source link

No session id in rpc context if it's sent over http #873

Closed vyacheslav-sozap closed 2 years ago

vyacheslav-sozap commented 2 years ago

Description

Runtime: JavaScript. Rpc ctx object doesn't have "sessionId" field if rpc has been called over "Nakama.Client.RpcAsync".

Steps to Reproduce

Example:

Authenticate
Send RPC using "Nakama.Client.RpcAsync" with session got from authentication on step 1
Check "sessionId" field in context

Expected Result

"sessionId" field contains session id

Actual Result

no such field in context

Notes

If we're sending RPC over socket connection, it has session id in context.

Probably, the cause of issue is that line: https://github.com/heroiclabs/nakama/blob/9807cc454509b45e0a971269373ed73e8b390a53/server/api_rpc.go#L198 where empty string is passed as session id.

Your Environment

Nakama: 3.12.0
Database: PostgreSQL from Docker image postgres:13.6-alpine
Environment name and version: Docker image heroiclabs/nakama:3.12.0
Operating System and version: WSL2 on Windows 10

zyro commented 2 years ago

@vyacheslav-sozap Thanks for the report, but this is working as intended. Session IDs are assigned for the lifetime of a socket, so only socket-based operations present a session ID to RPC function contexts. Additionally, session IDs are only useful in socket contexts - what would you intend to use session IDs for in client-based (non-socket) RPCs?

vyacheslav-sozap commented 2 years ago

So, this session id is not about the Nakama.ISession we pass as a first argument of "Nakama.Client.RpcAsync"? My idea is to logout all user sessions except current, for that matter I guess some sort of current session id is needed. By the way, if we have two different types of sessions, I'm now not sure which one JS API means in "nkruntime.sessionLogout" and "nkruntime.sessionDisconnect"

zyro commented 2 years ago

So, this session id is not about the Nakama.ISession we pass as a first argument of "Nakama.Client.RpcAsync"?

Correct, it's a unique ID assigned to each socket for its lifetime.

nkruntime.sessionLogout invalidates one or more session tokens (not sockets). nkruntime.sessionDisconnect disconnects a socket by its session ID as described above.

My idea is to logout all user sessions except current

If you mean you want to invalidate all session tokens except the one used to make the call, there's no quick function to do that at the moment. You can either invalidate the current session token or all of the user's currently active session tokens. I suggest you use the option to log them all out, and authenticate the user again on the device making the call.

Closing this as not an issue for the moment.