tink_web Expose the whole request to session

Expose the whole request to session

Open gene-pavlovsky opened this issue 6 years ago • 4 comments

I want to check the client's IP address in my Session code (for maximum security, I want the session to be tied to a particular IP, if the IP changes, the client would have to login again). But the clientIp is in IncomingRequest, not IncomingRequestHeader which is provided to session. According to @back2dos , since the pure branch got merged, it's safe to pass the whole IncomingRequest to the session. Alternatively, if it would make more sense (I'd guess not so much), the client's ip can be moved to IncomingRequestHeader or somewhere else?

Feb 22 '19 09:02 gene-pavlovsky

Yeah, as I said we should probably pass the whole request. I guess the only question is whether we want to retain support for session implementations that consume the header only, or just make a breaking change here ... @kevinresol ? ;)

Feb 22 '19 09:02 back2dos

Just abstract the request with a toHeader cast?

Feb 22 '19 09:02 kevinresol

or a breaking change is fine too

Feb 22 '19 11:02 kevinresol

For folks with the same issue: the workaround is pretty easy. The Context.authed() method receives the request object as first parameter, and expects a session factory as second parameter.

So instead of passing the IncomingRequestHeader to the session constructor, just pass the IncomingRequest object. Something like this:

Context.authed(request, _ -> new Session(request))

Then, in your session object you can use:

function getUser(): Promise<Option<User>> {
  // Do something with the client's IP address...
  this.request.clientIp

  // Do something with the request header...
  this.request.header
}

Sep 14 '20 09:09 cedx

tink_web tink_web copied to clipboard

Expose the whole request to session

tink_web
tink_web copied to clipboard