Skip to main content

Session Authentication Management

Asset Reality ensures that all session-based communications are authenticated and authorised using secure session handling. Sessions are validated on every request and injected into the request lifecycle for fine-grained access control. Expired or invalid sessions are rejected, and all session usage is audited using custom audit logging middleware.

Details

1. Session Token Issued for Authenticated Users

  • A session token is only generated and returned after the user:

    1. Submits valid credentials
    2. Successfully completes any required 2FA or biometric challenge

  • This is enforced through the /user/authenticate flow, which chains:

    1. AuthenticateUser
    2. VerifyCode (2FA)
    3. StartUserDeviceChallenge & VerifyUserDeviceChallenge (biometrics, if enabled)

  • Only upon completion of the required authentication steps is CreateUserSession called, which issues the token.

2. Session Authentication Middleware

The Authenticate middleware reads the session token from the request header. It validates the token by querying the redis session store. If the session is valid, it is injected into the request context. Requests without a valid session are rejected.

3. Session Required for Protected Routes

Protected route handlers use ReadSessionFromRequest() to retrieve session data. If it is not found or is invalid, the request is denied.

4. Session Expiry and Revocation

Sessions are centrally stored in Redis and expired or revoked sessions are rejected.

5. TLS Encryption of Tokens

Session tokens are sent in HTTP headers and all communication occurs over TLS.

6. Auditability

Session related routes (get/refresh/delete) are wrapped in the audit middleware, logging the actions to the centralised logging service and to Datadog.