PWesterdale
commented
7 years ago So in terms of structure we obviously need two seperate entities as I see it.
Session
id, authPayload
Token
JWT of authPayload
Tokens will be provided to API clients, whereas people using the reservat application will have their auth information stored in a session, accessed when they ping the server with a session cookie.
So for development purposes I need to create a method to store tokens and their expiry in MySQL, tied to a user - this will allow them to cancel a token at any time.
I need to create a store in Redis for sessions, along with the functionality to create, update, invalidate and remove those sessions.
We also need an agreed authPayload packet and class.
steadweb
A user can have many sessions. There are 3 types of session.
application Only granted when the user is using the reservat application, raised perms. api Long lived tokens for users to access the API. controlled permissions. customer Basic perms to be able to make bookings and communicate with the set restaurant through websockets.
The only thing stored user side will be a sessionID in cookies or local storage. Cookies will have a set expiration date, but the session will also have an expiration stored inside Redis.