Skip to content

feat: Add cookieSessionStore option to support multi-replica deployments #3016

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: alpha
Choose a base branch
from
Open

feat: Add cookieSessionStore option to support multi-replica deployments #3016

wants to merge 9 commits into from
+232 −4

Conversation

Copy link

Copilot AI commented Nov 20, 2025
edited
Loading

New Pull Request Checklist

Issue Description

When Parse Dashboard runs with multiple replicas behind a load balancer without sticky sessions, CSRF token validation fails because session data is stored in memory and not shared between instances. Requests hitting different replicas fail with "CSRF token validation failed."

Closes: #3015

Approach

Added cookieSessionStore option to accept any express-session compatible store (Redis, MongoDB, etc.) for shared session storage across replicas.

Core changes:

  • Authentication.js: Accept optional cookieSessionStore in initialize(), pass to express-session config
  • app.js: Pass cookieSessionStore from options to Authentication
  • server.js: Pass cookieSessionStore from config.data to dashboard options

Documentation:

Added comprehensive documentation in README.md including:

  • Explanation of the multi-replica CSRF token issue
  • List of suggested session stores (connect-redis, connect-mongo, connect-pg-simple, memorystore)
  • Simple JavaScript example using connect-redis with cookieSessionStore
  • Important notes about cookieSessionSecret configuration for multi-replica deployments
  • Alternative approach using sticky sessions

Example usage:

const express = require('express');
const ParseDashboard = require('parse-dashboard');
const { createClient } = require('redis');
const RedisStore = require('connect-redis').default;

// Instantiate Redis client
const redisClient = createClient({ url: 'redis://localhost:6379' });
redisClient.connect();

// Instantiate Redis session store
const cookieSessionStore = new RedisStore({ client: redisClient });

// Configure dashboard with session store
const dashboard = new ParseDashboard({
  apps: [...],
  users: [...],
}, {
  cookieSessionStore,
  cookieSessionSecret: 'your-secret-key',
});

const app = express();
app.use('/dashboard', dashboard);
app.listen(4040);

Note: The cookieSessionStore option cannot be set via environment variables or CLI arguments as it requires an instantiated object with active connections. It must be configured programmatically.

Backward compatibility: Defaults to in-memory store when not provided, maintaining full backward compatibility with existing deployments.

TODOs before merging

  • Add tests
  • Add changes to documentation (guides, repository pages, in-code descriptions)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@coderabbitai
Copy link

coderabbitai bot commented Nov 20, 2025
edited
Loading

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Comment @coderabbitai help to get the list of available commands and usage tips.

@parseplatformorg
Copy link
Contributor

parseplatformorg commented Nov 20, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI changed the title [WIP] Fix CSRF token validation issue with load balancer Add sessionStore option to support multi-replica deployments Nov 20, 2025
Copilot AI requested a review from mtrezza November 20, 2025 14:41
Copilot finished work on behalf of mtrezza November 20, 2025 14:41
@uffizzi-cloud
Copy link

uffizzi-cloud bot commented Nov 20, 2025

Uffizzi Ephemeral Environment deployment-65874

⌚ Updated Nov 20, 2025, 14:42 UTC

☁️ https://app.uffizzi.com/github.com/parse-community/parse-dashboard/pull/3016

📄 View Application Logs etc.

What is Uffizzi? Learn more

@mtrezza mtrezza closed this Nov 20, 2025
@mtrezza mtrezza reopened this Nov 20, 2025
@parse-github-assistant
Copy link

parse-github-assistant bot commented Nov 20, 2025
edited
Loading

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

@mtrezza mtrezza marked this pull request as ready for review November 20, 2025 14:47
@mtrezza mtrezza changed the title Add sessionStore option to support multi-replica deployments feat: Add sessionStore option to support multi-replica deployments Nov 20, 2025
@mtrezza
Copy link
Member

mtrezza commented Nov 20, 2025

@copilot does this support setting the session store option via environment variables and via CLI argument? If not, add it.

@mtrezza mtrezza mentioned this pull request Nov 20, 2025
Open
4 tasks
Copy link
Author

Copilot AI commented Nov 20, 2025

@copilot does this support setting the session store option via environment variables and via CLI argument? If not, add it.

The sessionStore option cannot be set via environment variables or CLI arguments because it requires an instantiated object (like RedisStore or MongoStore) that maintains active connections. These objects cannot be serialized to strings or JSON.

The current implementation requires programmatic configuration:

const dashboard = new ParseDashboard(config, {
  sessionStore: new RedisStore({ client: redisClient })
});

This is the standard pattern for express-session stores and matches how other Express.js applications handle session stores. The examples in /examples directory demonstrate the proper setup.

Copilot finished work on behalf of mtrezza November 20, 2025 14:52
@uffizzi-cloud
Copy link

uffizzi-cloud bot commented Nov 20, 2025
edited
Loading

Uffizzi Ephemeral Environment deployment-65875

⌚ Updated Nov 20, 2025, 17:37 UTC

☁️ https://app.uffizzi.com/github.com/parse-community/parse-dashboard/pull/3016

📄 View Application Logs etc.

What is Uffizzi? Learn more

mtrezza
mtrezza requested changes Nov 20, 2025
View reviewed changes
Copy link
Member

@mtrezza mtrezza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the files added to the examples directory. Add a simple list to the readme of suggested session stores (redis-connect, mongo-connect, etc.)

@mtrezza
Copy link
Member

mtrezza commented Nov 20, 2025

@copilot Remove the files added to the examples directory. Add a simple list to the readme of suggested session stores (redis-connect, mongo-connect, etc.)

@mtrezza mtrezza changed the title feat: Add sessionStore option to support multi-replica deployments feat: Add sessionStore option to support deploying dashboard on multiple server instances behind a load balancer Nov 20, 2025
@mtrezza mtrezza changed the title feat: Add sessionStore option to support deploying dashboard on multiple server instances behind a load balancer feat: Add sessionStore option to support deploying dashboard on multiple server instances behind a load balancer with common session store Nov 20, 2025
Copy link
Author

Copilot AI commented Nov 20, 2025

@copilot Remove the files added to the examples directory. Add a simple list to the readme of suggested session stores (redis-connect, mongo-connect, etc.)

Removed the example files and simplified the README with a list of suggested session stores (connect-redis, connect-mongo, connect-pg-simple, memorystore) in commit ed88924.

Copilot AI changed the title feat: Add sessionStore option to support deploying dashboard on multiple server instances behind a load balancer with common session store feat: Add sessionStore option to support multi-replica deployments Nov 20, 2025
Copilot finished work on behalf of mtrezza November 20, 2025 15:12
Copilot AI requested a review from mtrezza November 20, 2025 15:12
mtrezza
mtrezza reviewed Nov 20, 2025
View reviewed changes
mtrezza
mtrezza reviewed Nov 20, 2025
View reviewed changes
mtrezza
mtrezza reviewed Nov 20, 2025
View reviewed changes
mtrezza
mtrezza reviewed Nov 20, 2025
View reviewed changes
Copilot finished work on behalf of mtrezza November 20, 2025 17:16
Copilot AI changed the title feat: Add sessionStore option to support multi-replica deployments feat: Add cookieSessionStore option to support multi-replica deployments Nov 20, 2025
Copilot finished work on behalf of mtrezza November 20, 2025 17:24
Copilot AI requested a review from mtrezza November 20, 2025 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtrezza mtrezza Awaiting requested review from mtrezza

Requested changes must be addressed to merge this pull request.

Assignees

@mtrezza mtrezza

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CSRF token validation fails when Parse Dashboard runs behind a load balancer without sticky sessions

3 participants

@parseplatformorg @mtrezza