feat: Add session renew capabilities, #615

[abador]

Add session renew to kratos:

• whoami
• renew by session id
• renew by current session

Related issue(s)

#615

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

It's a follow-up after this pr on our repo: Wikia#48

[aeneasr]

Great job! Just a few notes :) Could you please also add a guide to the docs how to use this feature?

[abador]

@aeneasr tests are failing, but this doesn't seem to be caused by my changes(except for prettier). More docs added in here

[aeneasr]

It looks like there's a lint issue: https://app.circleci.com/pipelines/github/ory/kratos/5952/workflows/0452509a-af7c-4dc4-88ac-87c189d19b29/jobs/31412 :)

[aeneasr]

Thank you! This is looking grand! I just have two minor things regarding the API route structure :)

[aeneasr]

We try to have structure with REST resource model, so this would be:

Suggested change

	// swagger:route PATCH /sessions/refresh/{id} v0alpha2 adminSessionRefresh
	// swagger:route PATCH /sessions/{id}/refresh v0alpha2 adminRefreshSession

or

Suggested change

	// swagger:route PATCH /sessions/refresh/{id} v0alpha2 adminSessionRefresh
	// swagger:route PATCH /sessions/{id}?refresh=true v0alpha2 adminRefreshSession

[aeneasr]

Suggested change

	// Calling this endpoint refreshes a given session.
	// If `session.earliest_refresh` is set it will only refresh the session after this time has passed.
	// Calling this endpoint refreshes the given session ID.
	// If `session.earliest_refresh` is set it will only refresh the session after this time has passed.

[aeneasr]

Suggested change

	// This endpoint is useful for:
	//
	// - Session refresh

[aeneasr]

I think this route would currently cause a conflict with the other session routes? I would suggest:

Suggested change

	// swagger:route PATCH /sessions/refresh v0alpha2 adminCurrentSessionRefresh
	//
	// Calling this endpoint refreshes a given session.
	// If `session.earliest_refresh` is set it will only refresh the session after this time has passed.
	//
	// This endpoint is useful for:
	//
	// - Session refresh
	//
	// Schemes: http, https
	//
	// Security:
	// oryAccessToken:
	//
	// Responses:
	// swagger:route PATCH /sessions?refresh=true v0alpha2 adminRefreshSessionFromCredentials
	//
	// Calling this endpoint you can refresh an Ory Session Cookie or Ory Session Token. You must
	// include the Ory Session Token in the `Cookie` header or the Ory Session Token in the `X-Session-Token`
	// header.
	//
	// If `session.earliest_refresh` is set it will only refresh the session after this time has passed.
	//
	// Schemes: http, https
	//
	// Security:
	// oryAccessToken:
	//
	// Responses:

Please also add these keys (x-session-token, cookie) to the argument this method can receive (see the whoami endpoint for an example) :)

[hero101]

What is the status of this PR - is it stale? We are also investigating this and are interested in it.

[aeneasr]

If you want to pick this up please feel free to do so! :)

[codecov]

Codecov Report

Merging #2146 (890765b) into master (b5b1361) will decrease coverage by 0.02%.
The diff coverage is 91.89%.

❗ Current head 890765b differs from pull request most recent head 60fab42. Consider uploading reports for the commit 60fab42 to get more accurate results

@@            Coverage Diff             @@
##           master    #2146      +/-   ##
==========================================
- Coverage   76.62%   76.59%   -0.03%     
==========================================
  Files         318      318              
  Lines       17190    17217      +27     
==========================================
+ Hits        13171    13187      +16     
- Misses       3087     3097      +10     
- Partials      932      933       +1     

Impacted Files	Coverage Δ
session/handler.go	71.34% <87.50%> (+1.27%)	⬆️
driver/config/config.go	81.75% <100.00%> (+0.06%)	⬆️
internal/testhelpers/handler_mock.go	91.01% <100.00%> (+0.31%)	⬆️
session/session.go	71.11% <100.00%> (-10.07%)	⬇️
persistence/sql/persister_courier.go	88.33% <0.00%> (+3.33%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b5b1361...60fab42. Read the comment docs.

[aeneasr]

I don't think that we can add the refresh functionality as it is right now to /session/whoami. It is basically vulnerable to CSRF attacks where an attacker could trick a user into indefinitely refreshing a session. I will probably merge the possibility to refresh a session given the session ID using the admin API only.

[hero101]

I don't think that we can add the refresh functionality as it is right now to /session/whoami. It is basically vulnerable to CSRF attacks where an attacker could trick a user into indefinitely refreshing a session. I will probably merge the possibility to refresh a session given the session ID using the admin API only.

Great to see this is making progress. I believe that the admin API refresh capabilities will cover most of the use cases.
Any ideas when will this be released in order for us to push it down our pipelines as well?

[aeneasr]

Great to see this is making progress. I believe that the admin API refresh capabilities will cover most of the use cases.
Any ideas when will this be released in order for us to push it down our pipelines as well?

I'll try to get this merged before my vacation