Skip to content

Optional User Session#406

Merged
bjoernricks merged 16 commits into
mainfrom
optional-user-session
May 15, 2026
Merged

Optional User Session#406
bjoernricks merged 16 commits into
mainfrom
optional-user-session

Conversation

@bjoernricks
Copy link
Copy Markdown
Contributor

@bjoernricks bjoernricks commented May 15, 2026
edited
Loading

What

Make the User Session optional.

Disclaimer: The session timeout doesn't work correctly with JWT at the moment.

Why

With this change there are two kinds of authentication:

  1. Session based
  2. JWT based

The standard and default mode is the session based mode which uses a token and a cookie to create a session and to identify a user. This mode is stateful.

The new mode is JWT based and uses the Authorization header to get the JSON web token. The JWT is passed to GMP without creating a session within gsad. The session is bound to the lifetime of the JWT currently. This mode is stateless.

References

https://jira.greenbone.net/browse/GEA-1668

@bjoernricks bjoernricks requested review from a team as code owners May 15, 2026 11:22
@greenbonebot greenbonebot enabled auto-merge (rebase) May 15, 2026 11:23
@bjoernricks bjoernricks marked this pull request as draft May 15, 2026 11:23
auto-merge was automatically disabled May 15, 2026 11:23

Pull request was converted to draft

@bjoernricks bjoernricks force-pushed the optional-user-session branch 2 times, most recently from a54e163 to f68f0e6 Compare May 15, 2026 11:27
bjoernricks added 16 commits May 15, 2026 13:30
@bjoernricks
Remove setting the timezone for gsad on gmp get requests
529eb42 
This seems to be a leftover from ancient XSLT times.
@bjoernricks
Change: Only add cookie for gmp get responses if we have a user
145e4af 
Avoid crashing if the user is not available. This will be the case for
the JWT only mode.
@bjoernricks
Change: Adjust envelope XML for JWT only responses
d187049 
If we don't have a user from the session aka. JWT only mode don't add
the client address, locale, session timeout, timezone or token to the
envelope.
@bjoernricks
Change: Allow for incoming get requests without token
417f39e 
Don't require a token for getting the user out of the session and
support JWT only mode for http get requests.
@bjoernricks
Remove setting timezone from gmp post code path
bf1c24d 
Setting the timezone is not necessary for gsad anymore. It seems like a
leftover from ancient XSLT times.
@bjoernricks
Change: Use params from connection info to get the token
5eb1ac8 
Using the params struct allows to get the token for GET **and** POST
requests and also validates the token.
@bjoernricks
Change: Validate the parameters for all requests early
daa68d1 
Before the validation of the parameters was done later for POST requests
(or even never). With this change it is ensured that all parameters are
valid for every request getting in our handler chain.
@bjoernricks
Remove unncessary accept language header validation for GMP POST requ…
dacde08 
…ests

We don't care about the accept language header value at all therefore we
can safely ignore it.
@bjoernricks
Change: Make user optional in format_file_name function
3c21a27 
Don't crash if the user is not available. This will be required for the
JWT mode.
@bjoernricks
Change: Send 401 response if jwt and user are missing
394917d 
Require user or jwt for all requests to the `/gmp` and `/system_report`
endpoints. Otherwise return a 401 response.
@bjoernricks
Remove unnecessarily creating a new gmp connection for password change
f67baf8 
Also only logout all user sessions only if a user is available. This
avoids crashing in JWT mode.
@bjoernricks
Change: Refactor exec_gmp_post to avoid duplicate code for user auth
f63ff12 
Remove the user and credential setup from the exec_gmp_post method to
reduce duplicated code. Both will be done in a next commit via the
http handler chain instead. With this change exec_gmp_post and
exec_gmp_get are very similar and only handle GMP specific business
logic.
@bjoernricks
Remove cookie from gsad_connection_info
4badd75 
The cookie data is not used anymore.
@bjoernricks
Change: Update handler chain to setup auth for GMP POST commands
c426ad4 
Refactor setting up user and credentials for all API calls. With the
changed exec_gmp_post function is is possible to use the same handler
chain for all API calls.
@bjoernricks
Remove command_enabled functionality
384aaec 
Always send all GMP commands even if the user has no capability for the
command. Just let gvmd handle it. We don't have capabilities of the user
in JWT mode. Therefore it doesn't make sense to check it. Also the
functions using command enabled are very special and GSA should not use
their endpoints anymore.
@bjoernricks
Change: Make user optional in all GMP functions
ad5d52e 
Don't crash if the user is not available. This is the case in the JWT
mode.
@bjoernricks bjoernricks force-pushed the optional-user-session branch from f68f0e6 to ad5d52e Compare May 15, 2026 11:30
@bjoernricks bjoernricks marked this pull request as ready for review May 15, 2026 11:30
@bjoernricks bjoernricks enabled auto-merge (rebase) May 15, 2026 11:30
@bjoernricks bjoernricks merged commit fc7ce4f into main May 15, 2026
21 checks passed
@bjoernricks bjoernricks deleted the optional-user-session branch May 15, 2026 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ozgen ozgen ozgen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bjoernricks @ozgen