Convert Auth to Being Stateless #1143
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As referenced in #1137, I have been trying to get a stateless deploy of yeti so it can be run with replicas.
The final issue I ran into that there is a local
SESSION_STOREwithincore/web/apiv2/auth.pywhich is used to store and retract JWTs.Removing the
SESSION_STOREallows for auth to stateless for the Yeti API and is arguably an unnecessary step as JWTs naturally age out and are already retracted by clearing the cookie they are stored in when logging out. It is a very common pattern for JWTs to not be stored server side and it is actually one of their core feature on why they are commonly used.The only additional security that having the
SESSION_STOREprovides is immediate retraction of JWTs which I would argue to a very fair trade off for stateless auth (likewise it make debugging more streamlined easier as re-authentication is not longer needed between changes).