feat(core): expose oidc session uid on ctx.auth#8728
feat(core): expose oidc session uid on ctx.auth#8728
Conversation
COMPARE TO
|
| Name | Diff |
|---|---|
| packages/core/src/middleware/koa-auth/koa-oidc-auth.test.ts | 📈 +638 Bytes |
| packages/core/src/middleware/koa-auth/koa-oidc-auth.ts | 📈 +30 Bytes |
| packages/core/src/middleware/koa-auth/types.ts | 📈 +206 Bytes |
|
Non-blocking suggestion: the runtime change only sets The design note says not to add this to the M2M/app context. If we want the type contract to reflect that more strictly, we could split |
wangsijie
left a comment
wangsijie
left a comment
There was a problem hiding this comment.
🤖 PR Review
This PR plumbs the OIDC access token's session UID through koaOidcAuth into ctx.auth and adds focused unit coverage for both present and absent values.
- 🔒 Security: clean
- 🏗️ Architecture: clean
- 👨💻 Engineering: clean
Verdict:
AppAuth is not available for the user account API. So this is not an issue. |
simeng-li
force-pushed
the
simeng-log-13303-p11-plumb-sessionuid-through-koaoidcauth-into-ctxauth
branch
from
8306cbf to
10f30ed
Compare
wangsijie
left a comment
wangsijie
left a comment
There was a problem hiding this comment.
🤖 PR Review
This PR plumbs the OIDC access token's sessionUid onto ctx.auth as groundwork for upcoming session-aware APIs.
- 🔒 Security: 0 high, 1 medium
- 🏗️ Architecture: clean
- 👨💻 Engineering: clean
Verdict:
| /** | ||
| * OIDC session uid that backs the current access token, when the token was minted from an | ||
| * interactive (session-backed) flow. Absent for client-credentials tokens. | ||
| */ | ||
| sessionUid?: string; |
There was a problem hiding this comment.
🔒 Medium: Adding sessionUid to the shared WithAuthContext lets handlers type-check against ctx.auth.sessionUid even on routes backed by other auth middlewares where that field is never populated at runtime.
There was a problem hiding this comment.
Keeping sessionUid?: string on the shared Auth type for now. The same shape already carries identityVerified?: boolean and clientId?: string, both of which are populated only by koa-oidc-auth and likewise typed-but-undefined for handlers behind other middlewares. Adding sessionUid follows the established pattern; tightening it (discriminated union over type: 'user' | 'app', or moving it to a separate context decoration) is a wider refactor that touches every ctx.auth consumer in the repo.
Plumb the access token's `sessionUid` (already persisted on every session-backed AccessToken model) through `koaOidcAuth` so route handlers protected by the middleware can identify the current OIDC session. Adds an optional `sessionUid?: string` to the user `Auth` type and forwards the value verbatim from the verified access token. This is groundwork for `isCurrent` tagging on the Account API sessions response (P1.2 / LOG-13304); no consumer reads the field yet. Refs LOG-13303
simeng-li
force-pushed
the
simeng-log-13303-p11-plumb-sessionuid-through-koaoidcauth-into-ctxauth
branch
from
10f30ed to
52f33ba
Compare
3 participants
Summary
Plumb the access token's
sessionUid(already persisted on every session-backedAccessTokenmodel by node-oidc-provider) throughkoaOidcAuthso route handlers can identify the current OIDC session. Adds an optionalsessionUid?: stringto the userAuthtype and forwards the value verbatim from the verified access token.This is groundwork for the upcoming
isCurrentflag on theGET /api/my-account/sessionsresponse — see GitHub #8681. No consumer readsctx.auth.sessionUidyet; that lands in the next PR (P1.2).Testing
Unit tests
Checklist
.changeset