Skip to content

Session-based authentification#610

Open
MNassimM wants to merge 18 commits intoocaml-sf:masterfrom
pfitaxel:temporary-token
Open

Session-based authentification#610
MNassimM wants to merge 18 commits intoocaml-sf:masterfrom
pfitaxel:temporary-token

Conversation

@MNassimM
Copy link
Collaborator

@MNassimM MNassimM commented Apr 29, 2025
edited
Loading

  • Kind: feature / refactor / BREAKING CHANGE

Description

This PR introduces Learn-OCaml v2.0 session-based authentication while preserving backward compatibility for existing CLI users:

  • adds a full set of “*_ssession endpoints on both the server and the client;
  • all token → session relationships are stored in a session.json file within the sync directory
  • keeps the original token endpoints, but marks them Upto v"2.0" so old (≤ 1.x) CLI clients continue to use them;
  • the front side now stores only sync-session in the local storage;
  • provides a one-shot migrate_from_legacy_token helper in the front-end that detects an old sync-token, logs in via the new /login route, stores the returned session, fetches the save file, then deletes the legacy sync-token – all with a small “connection preserved” alert.

Checklist

Note to maintainers

  • Read this wiki page.
  • Make sure the PR has a milestone.
  • Assign yourself before merging.
  • Either do a regular merge:
    • for PRs containing several commits following conventional-commits,
    • or for PRs containing 1 commit shared with a later PR (to preserve the SHA1)
  • Or do a squash-merge:
    • for PRs containing only 1 commit (not shared with a later PR),
    • or for PRs containing several commits that need not be kept in the history;
    • Update the commit message header with a conventional-commit type,
    • Add a footer Close #… if a related issue exists.

@erikmd erikmd added the kind: feature New user-facing feature. label Jun 2, 2025
@erikmd
Copy link
Collaborator

erikmd commented Jun 2, 2025
edited
Loading

Just FYI @MNassimM, I added three small commits following our recent discussions on the migration to decompress 1.5.3:

  • avoiding the use of De.io_buffer_size that looks unneeded (and local testing is still fine)
  • removing the inotify dependency from the *.locked file as it just doesn't work on macOS,
    see also https://opam.ocaml.org/packages/irmin-watcher/ that says "inotify" {os = "linux"}
  • and adding the cryptokit dependency that was missing in the branch (it was certainly the cause of the CI failure).

Feel free to add other commits in the branch, and I propose that we'll interactively rebase your branch during our meeting tomorrow (in case you have Magit questions!)

MNassimM and others added 13 commits June 3, 2025 11:02
@MNassimM
feat(session): implement session type, generation, encoding and storage
cbad40d
@MNassimM
feat(api/login): add endpoint Login to return session for token
a382171
@MNassimM
feat(index_main): use Login endpoint with permanent token
a418491
@MNassimM
refactor!(api,server): replace token with session in routes
1614112 
All endpoints previously requiring a token now expect a session.

BREAKING CHANGE: Endpoints and clients using token-based authentication must be updated to use session-based authentication.
@MNassimM
refactor(app): replace token with session in API calls and local_storage
3b95577 
All API calls and local_storage interactions in the app/ folder now use session for authentication instead of token.
@MNassimM
feat(session): add Cryptokit‑based session generation and parsing
8671ab2
@MNassimM
feat(api): implement Get_token endpoint
ef77eac 
Add a new  API route that returns the token associated with a given session, enabling clients to retrieve their token server-side without storing it in the frontend.
@MNassimM
feat!(api): change Create_teacher_token to accept session instead of …
a64ee69 
…token
@MNassimM
refactor(client): remove deprecated from local storage and front-end
06ab52c
@MNassimM
feat(api): add v2.0 session-based “_s” endpoints (token routes kept f…
228b6af 
…or CLI)

Update supported_versions so:
 - legacy token routes are valid Upto v2.0
 - new session routes are valid Since v2.0

Clients ≥ 2.0 negotiate the new API; CLI clients continue to work.

Front-end now uses only the “_s” routes.
@MNassimM
feat(ui): auto-migrate legacy to v2 session auth
de81b65
@MNassimM
deps(opam): Add Irmin-git 3.10.0
e86c0d1 
This change needed to refactor the decompress-based deflate encoding
@MNassimM @Plictox
feat(state): Store session-token links using Irmin instead of JSON file
c4839ff 
Replace the JSON-based storage of session-token-date entries with an Irmin Git-backed key-value store.

Sessions are no longer stored in 'sessions.json' but in an Irmin Git repository ('session_store.git' by default).

Credits: this patch reuses code from oauth-moodle-dev by the following authors.
Co-authored-by: Louis Tariot <77079482+Plictox@users.noreply.github.com>
erikmd added 4 commits June 3, 2025 17:23
@erikmd
build(docker): Bump alpine-3.20 -> alpine-3.21
e3aa532 
as `ocaml/opam:alpine-3.20-*` images are now 6-month old:
cf. https://hub.docker.com/r/ocaml/opam/tags?name=alpine-3.20

which caused some CI build issue due to a too-old version of opam:
cf. https://github.com/ocaml-sf/learn-ocaml/actions/runs/15413403948/job/43370458368#step:3:122
@erikmd
build(docker): Use opam-2.3 and run opam init --reinit -ni first
0000ded 
Otherwise, we get:
```
The following dependencies couldn't be met:
  - learn-ocaml -> mirage-runtime = 4.8.2
      unmet availability conditions: opam-version >= "2.1.0"
```
Related: https://github.com/ocaml-sf/learn-ocaml/actions/runs/15421443343/job/43397321956?pr=610#step:3:163
Related: ocurrent/docker-base-images#132
Related: https://github.com/ocurrent/docker-base-images/blob/02a40d239bbb8dd2700d9bfaa7511926a84eca7b/Dockerfile#L3
@erikmd
build(macos): Add missing system packages for {conf-libffi,conf-zlib}
57cb49a
@erikmd
refactor(Learnocaml_store): Move Json_codec to Learnocaml_api
7ce615a 
Motivation:
- Learnocaml_store contained Json_codec
- learnocaml_client.ml relies on Json_codec
- Learnocaml_store depends on Learnocaml_api
- Learnocaml_store pulls irmin-git.unix and cryptokit
  - unlike Learnocaml_api
  - and these two dependencies are unneeded for compiling learnocaml_client.ml
@erikmd erikmd force-pushed the temporary-token branch from baaea6b to 7ce615a Compare June 3, 2025 21:54
@erikmd
deps(docker): Add gmp alpine package
d15c588 
Otherwise we'd get:

```
Error loading shared library libgmp.so.10: No such file or directory (needed by /usr/bin/learn-ocaml)
```

cf. https://github.com/ocaml-sf/learn-ocaml/actions/runs/15428646832/job/43421680304?pr=610
@erikmd erikmd mentioned this pull request Sep 2, 2025
Draft
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kind: feature New user-facing feature.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MNassimM @erikmd