-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add config option to enforce a single session token per user #1175
Conversation
+1 |
1 similar comment
+1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ftkg I believe that because RemoveAll
invalidates all tokens emitted prior to the current time (with granularity within the same second), and because IsValidSession
rejects blacklisted tokens emitted within the same second too, this will also invalidate the token to be issued.
Please also add the new option to the changelog.
@@ -117,7 +117,7 @@ func (s *LocalSessionCache) IsValidSession(userID uuid.UUID, exp int64, tokenId | |||
s.RUnlock() | |||
return true | |||
} | |||
if cache.lastInvalidation > 0 && exp-s.tokenExpirySec <= cache.lastInvalidation { | |||
if cache.lastInvalidation > 0 && exp-s.tokenExpirySec < cache.lastInvalidation { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sesposito Good catch, I've changed the validity check to only deny tokens issued strictly before the full invalidation. Do you see any problems with this?
Resolves #1014