lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Implement session secret rotation support

Browse Source 
Adds support for gradual session secret rotation without forcing logout:

- Add BANGUI_SESSION_SECRET_PREVIOUS config field for rotation window
- Implement unwrap_session_token_with_rotation() to accept tokens signed with
  either current or previous secret
- Update validate_session() to transparently accept old tokens during rotation
- Update logout() to accept tokens from both secrets
- Add comprehensive logging for rotation events and metrics
- Add 8 new tests covering all rotation scenarios
- Update documentation with step-by-step rotation strategy
- Update .env.example with previous secret field

Key features:
- No forced logout: old tokens continue working during rotation window
- Transparent validation: old tokens are automatically logged for monitoring
- Production-safe: can rotate secrets without service interruption
- Metrics-ready: logs track token rotation for observability

Rotation workflow:
1. Generate new secret and set BANGUI_SESSION_SECRET
2. Set BANGUI_SESSION_SECRET_PREVIOUS to old secret
3. Wait for old tokens to expire (≥ session_duration_minutes)
4. Unset BANGUI_SESSION_SECRET_PREVIOUS to complete rotation

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Lukas
2026-05-01 18:01:11 +02:00
parent 67b26a3ef7
commit 8138857ee1
8 changed files with 359 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
Docs/Tasks.md
View File

@@ -1,39 +1,3 @@
## [MEDIUM] Inefficient database pagination uses OFFSET
**Where found**
- `backend/app/utils/pagination.py` — uses `OFFSET (page-1) * page_size`
**Why this is needed**
OFFSET scans and discards N rows to fetch N+limit. Last page on 10M row table: 15 seconds ⚠️
**Goal**
Implement keyset pagination (cursor-based) for large result sets.
**What to do**
1. **Short-term:** Add database indexes on sort columns
2. **Long-term:** Implement cursor-based pagination using WHERE instead of OFFSET
3. Frontend sends cursor (last row ID) instead of page number
**Possible traps and issues**
- Cursor must be deterministic
- API contract changes
- Cursor format must be opaque to client
**Docs changes needed**
- Update `Docs/Backend-Development.md` § Database Performance
**Doc references**
- `Docs/Backend-Development.md` (database performance)
---
## [MEDIUM] Session secret rotation not implemented
**Where found**