feat: add verification for v2 auth#3155
Merged
Merged
Conversation
Contributor
Coverage Report
File Coverage |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces an “AUTH-4” re-authentication signal to help migrate/reauth clients consistently across HTTP and websockets, and strengthens v2 token verification by explicitly detecting revoked/expired session rows (instead of filtering them out at query time).
Changes:
- Add
AuthService.authenticate()returning a richerAuthResult(actor/reauth/invalid) and emit reauth reasons for revoked/expired sessions and legacy-v1 tokens. - Update HTTP auth probe + gates and socket.io auth middleware to propagate
reauth_requiredto clients (including structured payloads) and add KV/log-based observability. - Extend
SessionStorewith a raw session lookup path to support revocation/expiry classification, and add/extend unit + integration tests.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/backend/stores/session/SessionStore.js | Split “active-only” session lookup from a raw lookup to support revoked/expired classification. |
| src/backend/services/socket/SocketService.ts | Add socket-side reauth error payload + decision helper and switch socket auth to AuthService.authenticate(). |
| src/backend/services/socket/SocketService.test.ts | Unit tests for socket reauth error packing and auth decision logic. |
| src/backend/services/auth/AuthService.ts | Introduce AuthResult / ReauthReason, add authenticate(), and emit reauth for revoked/expired/legacy scenarios. |
| src/backend/services/auth/AuthService.test.ts | Integration tests for the new authenticate() result shape and reauth reasons. |
| src/backend/server.ts | Wire the server KV store into the global auth probe for metrics. |
| src/backend/core/http/middleware/gates.ts | Gate now returns reauth_required when the probe marks requiresReauth. |
| src/backend/core/http/middleware/gates.test.ts | Coverage for reauth-required gate behavior and precedence rules. |
| src/backend/core/http/middleware/authProbe.ts | Probe now consumes authenticate() and sets requiresReauth, metrics, and logs. |
| src/backend/core/http/middleware/authProbe.test.ts | Unit tests for reauth propagation, KV increments, and logging behavior. |
| src/backend/core/http/expressAugmentation.ts | Extend Express.Request typing with requiresReauth. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * or leaves `req.actor` undefined for per-route gates to reject. | ||
| */ | ||
| async authenticateFromToken(token: string): Promise<Actor | null> { | ||
| const result = await this.authenticate(token); |
Comment on lines
439
to
444
| this.clients.event.emit( | ||
| `sent-to-user.${wireName}`, | ||
| { | ||
| user_id: userId, | ||
| user_id: userId as number, | ||
| response: data.response, | ||
| }, |
Comment on lines
+37
to
+40
| type AuthResultLike = | ||
| | { actor: Actor } | ||
| | { reauth: { reason: string; auth_id?: string } } | ||
| | { invalid: true }; |
Comment on lines
+79
to
84
| async getByUuidAny(uuid) { | ||
| if (!uuid) return null; | ||
|
|
||
| const now = nowSeconds(); | ||
| const cached = await this.#readCache(uuid); | ||
| if (cached) { | ||
| if (cached.revoked_at != null) return null; | ||
| if (isExpired(cached, now)) return null; | ||
| return cached; | ||
| } | ||
| if (cached) return cached; | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.