[SQL-264] JWT and Routing Enhancement Suite #456

kelvinqian00 · 2025-01-14T19:36:16Z

Feature PR for JWT enhancement epic and support for frontend routing improvements.

Change Summary:

Add JWT refresh and logout revocation
Make /admin/ui the root path on FE, in order to support re-route
- Ban users from setting /admin as the route prefix to avoid clashes
New endpoints:
- /admin/account/logout: log out and invalidate current JWT by adding it to a blocklist
- /admin/account/renew: renew the current JWT to extend the current login session
- /admin/verify: returns 204 No Content if currently logged in
New config vars:
- LRSQL_JWT_REFRESH_EXP_TIME: JWT refresh expiration time, after which refreshes can no longer be performed
- LRSQL_JWT_REFRESH_INTERVAL: time interval for frontend to send a JWT refresh request
- LRSQL_JWT_INTERACTION_WINDOW: time interval to check for user interaction before a potential JWT refresh

PRs:

[SQL-267] `/admin/verify` endpoint

[SQL-222] Admin logout endpoint

[SQL-268] Admin JWT renewal endpoint

Update base UI path to `/admin/ui`

Development checklist

[SQL-274] Prevent user from setting `LRSQL_URL_PREFIX` to `/admin`

cliffcaseyyet

I went through this pretty detailed and everything looks good. If it's been tested with noval and oidc this looks pretty ready to ship.

kelvinqian00 added 30 commits October 29, 2024 15:15

Add new /admin/verify endpoint

670b8a2

Add tests for new endpoint (+ JWT corruption)

39d6c15

Add endpoint to documentation

57bfee9

Add /admin/openapi to endpoint docs

e16d6e2

Add /admin/status to endpoint docs

d645cfc

Bodyless -> No Content

35cfbda

Add JWT blocklist table to SQLite

55855cd

Add JWT blocklist table to Postgres

a682c5f

Add and implement backend protocol

ce7ee63

Fix typo in HugSQL code

877ca9d

JWT op specs

01674d0

JWT op inputs

02f3155

JWT ops

95e82d2

Implement AdminJWTManager protocol

a1ce210

Add tests for JWT protocol functions

0c37dc1

Fix protocol tests

8cda065

TEXT -> UUID in Postgres

2e29d19

Surround all admin route tests with try-finally blocks

d01f6fd

Refactor JWT validation + add blocklist check

d58999d

Implement loguout route + interceptors

970732c

Add logout tests

5f04099

Undo anomalous fn renaming

db96757

Add expiration to ctx jwt data

1655391

Add logout endpoint to docs

3d28d00

Add comment

170680f

Add second account to test blocking expired JWTs

f78b912

Add new renew endpoint

b05e1ab

Add ult property to JWTs

912797d

Add LRSQL_JWT_ULTIMATE_EXP_TIME var and pass it to admin routes

c4f5582

Add separate jwt creation fn that reuses ult exp time

2625a6a

kelvinqian00 and others added 26 commits November 11, 2024 12:34

Change config vars to less than or equal to

4e40b17

Merge branch 'main' into admin-logged-in-endpoint

06f8b07

Merge branch 'main' into admin-logout-endpoint

12e18f8

Merge branch 'admin-logout-endpoint' into admin-jwt-renew-endpoint

c8486cd

Make route tests pass with new config numbers

ab80835

Merge branch 'admin-logged-in-endpoint' into admin-logout-endpoint

b206ae5

Merge branch 'admin-logout-endpoint' into admin-jwt-renew-endpoint

8d5080a

Use TIMESTAMP WITH TIME ZONE for evict_time

07b912d

Only purge blocklist on logout

1b8a96f

Fail silently upon double logout

b115a41

Implement get-spa and use that for /admin

ec85d87

Add /ui for UI routes

29c3922

Remove proxy-path from get-spa

c4959bd

Use Selmer templates to inject proxy path prefix

740f803

Add a testing checklist in the dev docs

7046115

Shorten list

839aee7

Grammar properly in the first sentence

1dbe44a

Add url-prefix restrictions to config spec

52a0c7e

Mention changes in docs

99d02f1

Merge pull request #433 from yetanalytics/admin-logged-in-endpoint

008120c

[SQL-267] `/admin/verify` endpoint

Merge pull request #434 from yetanalytics/admin-logout-endpoint

779fff8

[SQL-222] Admin logout endpoint

Merge branch 'jwt-enhancement-epic' into admin-jwt-renew-endpoint

feebfb4

Merge pull request #435 from yetanalytics/admin-jwt-renew-endpoint

74a4dd4

[SQL-268] Admin JWT renewal endpoint

Merge pull request #439 from yetanalytics/admin-re-route

a20e679

Update base UI path to `/admin/ui`

Merge pull request #441 from yetanalytics/dev-checklist

5dde8e7

Development checklist

Merge pull request #449 from yetanalytics/ban-admin-prefix

27e4ac4

[SQL-274] Prevent user from setting `LRSQL_URL_PREFIX` to `/admin`

kelvinqian00 requested review from milt, cliffcaseyyet and invaliduser January 14, 2025 19:36

cliffcaseyyet approved these changes Jan 31, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SQL-264] JWT and Routing Enhancement Suite #456

[SQL-264] JWT and Routing Enhancement Suite #456

kelvinqian00 commented Jan 14, 2025 •

edited

Loading

cliffcaseyyet left a comment

[SQL-264] JWT and Routing Enhancement Suite #456

Are you sure you want to change the base?

[SQL-264] JWT and Routing Enhancement Suite #456

Conversation

kelvinqian00 commented Jan 14, 2025 • edited Loading

Change Summary:

PRs:

cliffcaseyyet left a comment

Choose a reason for hiding this comment

kelvinqian00 commented Jan 14, 2025 •

edited

Loading