Session needs a user id field, and SessionStore needs ability to invalidate/modify sessions by user id

[lukehutch]

Version

• vert.x core: 4.0-SNAPSHOT
• vert.x auth: 4.0-SNAPSHOT

Context

For security, Vertx needs the ability to invalidate all sessions for a given user id, and to write a given key/value pair to the data for all sessions with a given user id (to allow permissions to be granted or revoked instantly across all sessions). This should work across either a local session store or a clustered session store.

Currently there is no way to associate a user id (e.g. an email address) with a session, beyond simply storing the user id as a custom key/value pair in the session data. However, the session data is not indexed across all sessions, which makes it impossible to find all sessions that are associated with a given user id.

This means that it is currently not possible to forcibly log a user out from all sessions based on user id. It is also not possible to grant or revoke a permission to/from all sessions for the user, unless each session is constantly querying a shared map, which would require a database query in the clustered case, potentially for every request, rather than simply relying on cached permissions in the session store.

The needed methods would be:

• void Session.setUserId(String userId)
• String Session.getUserId()
• int SessionStore.invalidateAllSessionsWithUserId(String userId) -- maybe return the number of invalidated sessions
• void SessionStore.putForAllSessionsWithUserId(String userId, String key, Object value)

Then the user would set the user id in a session after the user authenticates for the first time. For OAuth2, this could be done automatically by fetching the userInfo via OpenID Connect after OAuth2 connects (the OIDC data often or usually contains the email address, or some other unique identifier). The OIDC data could be automatically cached in the session once it is fetched.

[stephanebastian]

Hi Luke,

I do agree that Vertx should provide a way to invalidate all sessions of a specific user. We came across this issue several times in different projects built with Vertx. The workaround was to add the method SessionStore.deleteByUserId(xyz, Handler<AsyncResult<Set> handler) in our own session store (where the Set is the list of Session Ids that have been deleted).
However, with Vertx, you can currently have a Session without User. This is because Vertx currently consider that a User is mainly related to Authentication and Authorization. This is another aspect that sounds odd because no matter what, there is always a User. He is not necessarily authenticated though and has no permission by default.
In my opinion, when you call routingContext.user(), Vertx should always return a user. It is either an anonymous User (with an id but no permissions of course) or an authenticated user.
In which case, it would be perfectly valid to add the method SessionStore.deleteByUserId (or whatever the name is) because, Session data would always be related t a User

I think we should ping @pmlopes to get his feedback