Skip to content

fix(console): revoke server-side sessions on logout#169

Draft
overtrue wants to merge 1 commit into
mainfrom
overtrue/fix-console-session-revocation
Draft

fix(console): revoke server-side sessions on logout#169
overtrue wants to merge 1 commit into
mainfrom
overtrue/fix-console-session-revocation

Conversation

@overtrue

Copy link
Copy Markdown
Contributor

Type of Change

  • New Feature
  • Bug Fix
  • Documentation
  • Performance Improvement
  • Test/CI
  • Refactor
  • Other: N/A

Related Issues

Closes rustfs/backlog#1087

Summary of Changes

  • Replace the stateless encrypted cookie with a 128-bit random session reference backed by an encrypted, bounded in-process session store.
  • Revoke the referenced session immediately on logout while preserving legacy empty POST clients and rejecting untrusted browser origins.
  • Require one Console replica with a Recreate rollout, document upgrade and rollback behavior, and verify the rendered Helm deployment in CI.

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CHANGELOG.md updated under [Unreleased] (N/A: this repository has no CHANGELOG.md)
  • CI/CD passed (pending remote CI)

Impact

  • Breaking change (CRD/API compatibility)
  • Requires doc/config/deployment update
  • Other impact: Console restarts and upgrades intentionally invalidate active sessions; supported deployments use one replica and Recreate.

Verification

make pre-commit
helm lint deploy/rustfs-operator
cargo test --manifest-path e2e/Cargo.toml --test sts_manifest console_session_deployments_enforce_single_recreate_process

Additional Notes

  • Correctness adversary: logout replay, expiry, capacity boundaries, cookie validation, and upgrade paths resisted attack.
  • Security reviewer: no token leakage, session fixation, CSRF, cross-scheme, RBAC, or unbounded-storage break found.
  • Concurrency/durability reviewer: one short mutex, no lock across await, atomic create checks, and idempotent revoke.
  • Compatibility reviewer: legacy logout clients, HTTP/1 Host, HTTP/2 authority, proxy guidance, cookie contract, and rollback remain compatible.
  • Performance reviewer: request lookup is O(1), decryption is outside the lock, and memory and login scans are bounded.
  • Test-coverage skeptic: every changed behavior has a regression test, including real Helm rendering in CI.

Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant