Skip to content

feat: add header-based session authentication for webapp proxy #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
worlddriven merged 1 commit into from
Nov 24, 2025
Merged

feat: add header-based session authentication for webapp proxy #314

worlddriven merged 1 commit into from
Nov 24, 2025

Conversation

@TooAngel
Copy link
Owner

@TooAngel TooAngel commented Nov 22, 2025

Summary

Implements header-based session authentication to enable the worlddriven webapp proxy pattern while maintaining full backward compatibility with existing cookie-based authentication.

Changes

Database Layer

  • Extended database.js: Added Session typedef and sessions collection getter
  • Follows existing pattern for collection access
  • Enables type-safe session queries

Session Authentication Middleware

  • New file: src/middleware/sessionAuth.js
  • Extracts and validates Authorization: SESSION <sessionId> headers
  • Queries MongoDB sessions collection directly
  • Validates session expiration
  • Sets req.session.userId for compatibility with existing routes
  • Falls back gracefully to cookie-based auth if no header present

API Endpoints

  • GET /api/auth/status: Check authentication status and return user info
  • POST /api/auth/logout: Destroy session

Middleware Integration

  • Applied after express-session setup in src/index.js
  • Automatically supports both authentication methods

Architecture

Webapp Proxy Pattern Flow

  1. User authenticates via existing GitHub OAuth flow
  2. Webapp proxy extracts sessionId from httpOnly cookie
  3. Proxy sends Authorization: SESSION <sessionId> to core
  4. Core middleware validates session from MongoDB
  5. Existing routes work unchanged with req.session.userId

Backward Compatibility

  • ✅ Current frontend with cookies continues to work
  • ✅ New webapp proxy with headers works
  • ✅ Both methods can be used simultaneously
  • ✅ No breaking changes to existing code

Security

  • Sessions remain in MongoDB with existing security
  • httpOnly cookies prevent JavaScript access in webapp
  • Session validation includes expiration checks
  • No session data exposed in responses

Testing

  • ✅ ESLint passes with no errors or warnings
  • Ready for integration testing with webapp proxy

@TooAngel
feat: add header-based session authentication for webapp proxy
4083693 
Implement support for Authorization header session authentication to enable
the worlddriven webapp proxy pattern while maintaining backward compatibility
with existing cookie-based authentication.

Changes:
- Extended database layer to expose sessions collection
- Created session authentication middleware that validates Authorization headers
- Added API endpoints for authentication status and logout
- Applied middleware to support both cookie and header-based auth simultaneously

The webapp proxy can now send "Authorization: SESSION <sessionId>" headers
and the core will validate sessions from MongoDB, enabling secure httpOnly
cookie handling in the webapp while keeping all session logic in the core.

Backward compatible: existing cookie-based frontend continues to work unchanged.
@worlddriven
Copy link
Contributor

worlddriven bot commented Nov 22, 2025
edited
Loading

🤖 Worlddriven Status

📊 Live Status Dashboard

🗓️ Merge Date: 2025-11-24 at 02:38:28 UTC (today)
📅 Started: 2025-11-22 at 06:49:36 UTC
Speed Factor: 0.18 (82% faster due to reviews)
Positive votes: 300/367 contribution weight (coefficient: 0.82)
📈 Base Merge Time: 10 days → Current: 2 days

🎯 Want to influence when this merges?

Your review matters! As a contributor to this project, your voice helps determine the merge timeline.

How to review:

  1. Check the changes
    Files changed

  2. Leave your review
    Review changes

Your options:

  • ✅ Agree & Speed Up: Approve Approving makes this merge faster
  • ❌ Disagree & Slow Down: Request changes Requesting changes delays the merge

💡 Pro tip: The more contributors who agree, the faster this gets merged!

📊 View detailed stats on the dashboard

📋 Recent Activity

2025-11-22, 06:49:43 - Pull request opened
2025-11-22, 06:49:44 - Pull request opened
2025-11-24, 02:51:54 - Pull request merged by worlddriven ✅

This comment is automatically updated by worlddriven

@worlddriven worlddriven bot merged commit 619831d into master Nov 24, 2025
2 checks passed
@worlddriven worlddriven bot deleted the feat/header-based-session-auth branch November 24, 2025 02:51
This was referenced Nov 27, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TooAngel