TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:27:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(session): allow update of session without token (#7963)

Browse Source 
# Which Problems Are Solved

The session update requires the current session token as argument.
Since this adds extra complexity but no real additional security and
prevents case like magic links, we want to remove this requirement.

We still require the session token on other resouces / endpoints, e.g.
for finalizing the auth request or on idp intents.

# How the Problems Are Solved

- Removed the session token verifier in the Update Session GRPc call.
- Removed the session token from login UI examples session update calls

# Additional Changes

- none

# Additional Context

- Closes #7883
This commit is contained in:
Tim Möhlmann
2024-05-22 07:56:11 +02:00
committed by GitHub
parent 07f91e4f16
commit 5b1160de1e
9 changed files with 42 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
proto/zitadel/session/v2beta/session_service.proto
View File

@@ -296,7 +296,7 @@ message CreateSessionResponse{
];
string session_token = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"The current token of the session, which is required for further updates of the session or the request other resources.\"";
description: "\"The current token of the session, which is required for delete session, get session or the request of other resources.\"";
}
];
Challenges challenges = 4;
@@ -313,11 +313,11 @@ message SetSessionRequest{
}
];
string session_token = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(validate.rules).string = {min_len: 0, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
description: "\"The current token of the session, previously returned on the create / update request.\"";
description: "\"DEPRECATED: this field is ignored.\"";
}
];
Checks checks = 3[
@@ -344,7 +344,7 @@ message SetSessionResponse{
zitadel.object.v2beta.Details details = 1;
string session_token = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"The current token of the session, which is required for further updates of the session or to request other resources.\"";
description: "\"The current token of the session, which is required for delete session, get session or the request of other resources.\"";
}
];
Challenges challenges = 3;