Currently, the website does not have any sort of session management. "Sessions" are currently handled using JWTs, which means that sessions are nearly impossible to invalidate. In order to support an upcoming feature (#209), the website will need to be able to support multiple active logins at once. Which also means that the need for proper session management is critical.
This feature proposes the introduction of sessions and session management on the API. To make this as backwards compatible as possible, this should be implemented on a new route and the existing routes should remain in place until the app has been updated and is working with the new system.
MVP
All login attempts will generate sessions that will be managed by the API server and database
To keep backwards compatibility, a new route should be created to create new sessions
All authentication protected routes should look for valid sessions instead of using the JWT
A new route should be created to terminate sessions (logout)
This route should only be available to active sessions
The web app should be updated to handle login/logouts from these new routes
Description
Currently, the website does not have any sort of session management. "Sessions" are currently handled using JWTs, which means that sessions are nearly impossible to invalidate. In order to support an upcoming feature (#209), the website will need to be able to support multiple active logins at once. Which also means that the need for proper session management is critical.
This feature proposes the introduction of sessions and session management on the API. To make this as backwards compatible as possible, this should be implemented on a new route and the existing routes should remain in place until the app has been updated and is working with the new system.
MVP
Design
Click this link to view the full Miro board
Milestones