Details
-
Improvement
-
Resolution: Fixed
-
High
-
5.1, 5.2
-
Ventoux Sprint 6
Description
The current REST spec hints of a missing GET /user/sessions/<sessionId>, however this resource was left out for security concerns. So this story is about changing the existing POST /user/sessions to allow for common use case needed by session based REST clients, re authenticate a user when he comes back to application but while session cookie is still existing (session cookie might not be available to javascript for security reasons btw).
Suggestion for change made in PR 682:
- POST /user/sessions with a correct login / pass with session cookie gives:
- If no session exists, 201 like now (or other response code as we can't provide Location header)
- If the corresponding session exists, 200 with the same response as for the previous case
- 13.03.14: If user is different, and if previously anonymous session->migration( true), if previously logged in 409 as already in spec
- POST /user/sessions/<sessionId>/refresh A new resource where you can POST with session cookie and csrf token
- If the session is valid => 200 (204 would work if we don't provide a body)
- 404 if the session is not valid
vnd.ez.api.Session might also benefit from also containing expiry information(how long the session is valid on inactivity most likely).
POST /user/sessions/<sessionId>/refresh might not be needed if all resources gives a common error if CSRF is wrong or session has expired.