Add session creation, tracking and revoking
Allow authenticated users to create more authentication tokens, return a list of all tokens (revoked and not revoked) with labels/names/descriptions, and revoke existing tokens by ID.
To speed up authentication process and not query database for every authentication action, I think we should store all active token IDs in Redis for fast querying as well as in the database with all of the token's metadata.
We could also switch from storing capabilities in the JWT to storing them in Redis + the database to allow users to change permissions on a token without recreating it (this would also make tokens shorter). If we did this, the example flow below would change from an EXISTS
query to a GET
query (this would also allow for checking permissions with GETBIT
as well, if we wanted to implement on-the-fly permission checking rather than building a permissions map in the authentication stage.
Example flow:
- user creates token with ID
a
, gets stored insessions
table in database and a key gets created in Redis calledauth:token:a:active
with value set to1
- user authenticates against API with the token produced in step 1
- server decodes token, parses capabilities and other things
- server queries Redis to check if
auth:token:a:active
keyEXISTS
- if the key exists, authentication was successful
- if the key does not exist, check the database to see if it's revoked
- if the key is marked as revoked, send response outlining this so the client knows not to try again
- if the key is not marked as revoked, add the key to Redis for next time and authentication was successful