Lukas
8138857ee1
Adds support for gradual session secret rotation without forcing logout: - Add BANGUI_SESSION_SECRET_PREVIOUS config field for rotation window - Implement unwrap_session_token_with_rotation() to accept tokens signed with either current or previous secret - Update validate_session() to transparently accept old tokens during rotation - Update logout() to accept tokens from both secrets - Add comprehensive logging for rotation events and metrics - Add 8 new tests covering all rotation scenarios - Update documentation with step-by-step rotation strategy - Update .env.example with previous secret field Key features: - No forced logout: old tokens continue working during rotation window - Transparent validation: old tokens are automatically logged for monitoring - Production-safe: can rotate secrets without service interruption - Metrics-ready: logs track token rotation for observability Rotation workflow: 1. Generate new secret and set BANGUI_SESSION_SECRET 2. Set BANGUI_SESSION_SECRET_PREVIOUS to old secret 3. Wait for old tokens to expire (≥ session_duration_minutes) 4. Unset BANGUI_SESSION_SECRET_PREVIOUS to complete rotation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2.4 KiB
2.4 KiB