Skip to content

Add config.expireInactiveSession to add support for non-expiring inactive sessions #1536

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 6, 2016
Merged

Add config.expireInactiveSession to add support for non-expiring inactive sessions #1536

merged 5 commits into from
May 6, 2016

Conversation

steven-supersolid
Copy link
Contributor

No description provided.

@codecov-io
Copy link

codecov-io commented Apr 18, 2016
edited
Loading

Current coverage is 92.31%

Merging #1536 into master will increase coverage by +<.01%

@@             master      #1536   diff @@
==========================================
  Files            87         87          
  Lines          6148       6153     +5   
  Methods        1062       1062          
  Messages          0          0          
  Branches       1260       1263     +3   
==========================================
+ Hits           5675       5680     +5   
  Misses          473        473          
  Partials          0          0

Powered by Codecov. Last updated by 0b88302...de42ace

@drew-gross
Copy link
Contributor

I don't think this is the behaviour we want. Being able to create a session that is already expired is useful to test your client-side code that handles session expiry.

My recommendation would be to add an expireInactiveSessions setting similar to Parse.com, and throw an error if they try to set a sessionLength and also set expireInactiveSessions to false.

@facebook-github-bot
Copy link

@steven-supersolid updated the pull request.

@steven-supersolid
Copy link
Contributor Author

I've made some of the suggested changes but didn't want to change the current default behavior. Please let me know what you think about this:

Default: expireInactiveSessions = true, sessionLength = 1 year
Case A: Developer can change the value of sessionLength as desired
Case B: Developer can set expireInactiveSessions to false to disable with no other change required (such as changing sessionLength to an invalid value)

@drew-gross
Copy link
Contributor

This looks good to me, cc @nlutsenko @gfosco for comments because this involves a new public API.

@steven-supersolid steven-supersolid changed the title Create non-expiring session when sessionLength is zero Add config.expireInactiveSessions to add support for non-expiring inactive sessions Apr 18, 2016
@steven-supersolid steven-supersolid changed the title Add config.expireInactiveSessions to add support for non-expiring inactive sessions DO NOT MERGE - Add config.expireInactiveSessions to add support for non-expiring inactive sessions Apr 18, 2016
@steven-supersolid
Copy link
Contributor Author

I think I missed the following checks when expireInactiveSessions is false:

  • Don't delete the session document where the User has an existing expired session
  • Delete the session expiration for any users with existing sessions

Will address tomorrow

@drew-gross
Copy link
Contributor

Adding that would be a much larger and probably backwards incompatible change. Probably to support the use case you want would require a major and backwards incompatible overhaul to sessions, which I would like to see, but probably not for awhile. Essentially I'd like to remove expiresAt from sessions and check for expiry by subtracting the expiration time from the current time and checking that against updatedAt or some other field.

@nlutsenko
Copy link
Contributor

Having expiresAt is still helpful, since otherwise we are relying on magic when the user uses the session token for example, but I feel that's a topic for some other day.

This looks good to me, and is helpful for testing, and when the security model of Parse Server is not required, so I am ok with this change.

@steven-supersolid steven-supersolid changed the title DO NOT MERGE - Add config.expireInactiveSessions to add support for non-expiring inactive sessions Add config.expireInactiveSession to add support for non-expiring inactive sessions Apr 18, 2016
@steven-supersolid
Merge remote-tracking branch 'upstream/master' into non-expiring-sess…
8ef791a 
…ions

# Conflicts:
#	src/Config.js
#	src/ParseServer.js
@facebook-github-bot
Copy link

@steven-supersolid updated the pull request.

@drew-gross
Copy link
Contributor

Parse.com sets/deletes expiresAt when making a request using a session token, rather than when the setting is enabled/disabled. I think thats probably the right approach. I'd actually be fine with merging this as is. I do think 0 seconds should be a valid session length, but thats something we can change later.

@ghost
Copy link

ghost commented Apr 29, 2016

@steven-supersolid updated the pull request.

@ghost
Copy link

ghost commented Apr 30, 2016

@steven-supersolid updated the pull request.

@drew-gross drew-gross merged commit 37c502b into parse-community:master May 6, 2016
@steven-supersolid steven-supersolid deleted the non-expiring-sessions branch August 4, 2016 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@steven-supersolid @codecov-io @drew-gross @facebook-github-bot @nlutsenko