Skip to content

session: add a new session token v2#350

Merged
cthulhu-rider merged 1 commit intomasterfrom
new-session-token-v2
Dec 5, 2025
Merged

session: add a new session token v2#350
cthulhu-rider merged 1 commit intomasterfrom
new-session-token-v2

Conversation

@End-rey
Copy link
Contributor

@End-rey End-rey commented Oct 20, 2025

Refs #241.

@End-rey End-rey self-assigned this Oct 20, 2025
@End-rey End-rey marked this pull request as draft October 20, 2025 14:57
@End-rey End-rey force-pushed the new-session-token-v2 branch from e65a42a to 11f58a6 Compare October 20, 2025 15:17
carpawell
carpawell reviewed Oct 21, 2025
View reviewed changes
@End-rey End-rey force-pushed the new-session-token-v2 branch from 11f58a6 to 694d30d Compare October 22, 2025 18:58
@End-rey End-rey requested a review from carpawell October 22, 2025 19:21
@End-rey End-rey force-pushed the new-session-token-v2 branch 2 times, most recently from b967342 to 7a51333 Compare October 23, 2025 11:20
roman-khimov
roman-khimov reviewed Oct 23, 2025
View reviewed changes
session/types.proto Outdated
ObjectSessionContextV2 object = 6 [json_name = "object"];

// ContainerService authorization context.
ContainerSessionContextV2 container = 7 [json_name = "container"];
Copy link
Member

@roman-khimov roman-khimov Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can have a single set of object/container operations? I'm not sure what this separation buys us.

@End-rey End-rey force-pushed the new-session-token-v2 branch from 7a51333 to 45af0fd Compare October 23, 2025 18:40
@End-rey End-rey requested a review from roman-khimov October 23, 2025 18:40
@End-rey End-rey force-pushed the new-session-token-v2 branch 2 times, most recently from d863037 to f7f489d Compare October 31, 2025 14:50
This was referenced Nov 1, 2025
Merged
Merged
@End-rey End-rey force-pushed the new-session-token-v2 branch from f7f489d to a4dfb59 Compare November 17, 2025 16:38
@End-rey End-rey marked this pull request as ready for review November 17, 2025 21:50
roman-khimov
roman-khimov reviewed Nov 25, 2025
View reviewed changes
Copy link
Member

@roman-khimov roman-khimov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But it looks good, pretty simple but powerful structure.

@End-rey End-rey force-pushed the new-session-token-v2 branch from a4dfb59 to 1a8c6a1 Compare November 26, 2025 16:01
@End-rey End-rey requested a review from roman-khimov November 27, 2025 09:25
roman-khimov
roman-khimov reviewed Nov 28, 2025
View reviewed changes
@End-rey End-rey force-pushed the new-session-token-v2 branch from 1a8c6a1 to 5278238 Compare December 1, 2025 11:04
@End-rey End-rey requested a review from roman-khimov December 1, 2025 12:10
roman-khimov
roman-khimov reviewed Dec 1, 2025
View reviewed changes
@End-rey End-rey force-pushed the new-session-token-v2 branch 2 times, most recently from b32a054 to 1642d22 Compare December 3, 2025 14:38
@End-rey End-rey requested a review from roman-khimov December 3, 2025 14:38
roman-khimov
roman-khimov previously approved these changes Dec 4, 2025
View reviewed changes
Copy link
Member

@roman-khimov roman-khimov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good otherwise. ID is not critical, but I just don't see any use for it. Maybe @carpawell or @cthulhu-rider do.

session/types.proto Outdated
uint32 version = 1 [json_name = "version"];

// Token identifier (UUIDv4 in binary form).
bytes id = 2 [json_name = "id"];
Copy link
Member

@roman-khimov roman-khimov Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be uint32 nonce. We have no use for this ID other than to prevent collisions.

Copy link
Contributor

@cthulhu-rider cthulhu-rider Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does anyone see usecase for creating additional token that differs only in id?

Copy link
Member

@roman-khimov roman-khimov Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I treat it like a transaction nonce. Same version, same policy, same everything, but we want to have a different ID of course. For that UUID is an overkill.

Copy link
Member

@roman-khimov roman-khimov Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But why would anyone want to create the same token with different ID is a mystery. Maybe it can happen accidentally though. Like some code has lost the old token and then it creates a new one.

Copy link
Member

@carpawell carpawell Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you suggest to use as a token id? currenlty, a pair of owner/tokenID is used in node's cache. hash body?

Copy link
Member

@roman-khimov roman-khimov Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And that's more secure, because UUID can be reused in completely different tokens, it should never be used for caching.

Copy link
Member

@carpawell carpawell Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tbh, never liked uuid and the way it was gotten from the user without any uniqueness guarantees. support dropping it

Copy link
Contributor

@cthulhu-rider cthulhu-rider Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

currently, sys behavior is identical for two tokens that differ only in id. For example, the fact that some token was lost and recreated on user side (this is possible with RFC6979 signature scheme) still cannot be verified. However, caching will require more resources

Copy link
Contributor Author

@End-rey End-rey Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, drop id and use for caching hash body?

Copy link
Member

@roman-khimov roman-khimov Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace is with 32 bit nonce. Just in case we need some randomness. Otherwise they're identified by hashes (like containers or objects are, for example).

carpawell
carpawell previously approved these changes Dec 5, 2025
View reviewed changes
session/types.proto
// Signature of the body by the issuer.
neo.fs.v2.refs.Signature signature = 2 [json_name = "signature"];

// Origin token that was delegated to create this token.
Copy link
Member

@carpawell carpawell Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mention that delegation cannot be wider than the previous one in the chain?

session/types.proto Outdated
uint32 version = 1 [json_name = "version"];

// Token identifier (UUIDv4 in binary form).
bytes id = 2 [json_name = "id"];
Copy link
Member

@carpawell carpawell Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you suggest to use as a token id? currenlty, a pair of owner/tokenID is used in node's cache. hash body?

cthulhu-rider
cthulhu-rider reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

@cthulhu-rider cthulhu-rider left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about this case

neofs-api/object/types.proto

Line 200 in ff6de9a

neo.fs.v2.session.SessionToken session_token = 9 [json_name = "sessionToken"];
?

session/types.proto Outdated
SessionToken session_token = 5 [json_name = "sessionToken"];

// Session token v2 with delegation chain support.
// If both session_token and session_token_v2 are set, session_token_v2 takes precedence.
Copy link
Contributor

@cthulhu-rider cthulhu-rider Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'd consider such requests invalid

Copy link
Contributor Author

@End-rey End-rey Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We once discussed that both tokens are possible and they do not interfere with each other @roman-khimov

Copy link
Member

@roman-khimov roman-khimov Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They don't interfere in that you can use one or another, but mixing them would be strange and we can forbid it immediately to prevent any inconsistencies.

@End-rey End-rey dismissed stale reviews from carpawell and roman-khimov via 4190114 December 5, 2025 11:54
@End-rey End-rey force-pushed the new-session-token-v2 branch from 1642d22 to 4190114 Compare December 5, 2025 11:54
@End-rey End-rey force-pushed the new-session-token-v2 branch from 4190114 to b3207f5 Compare December 5, 2025 11:56
carpawell
carpawell previously approved these changes Dec 5, 2025
View reviewed changes
@End-rey
Copy link
Contributor Author

End-rey commented Dec 5, 2025

I think we won't merge for now, just in case.

roman-khimov
roman-khimov reviewed Dec 5, 2025
View reviewed changes
@End-rey End-rey force-pushed the new-session-token-v2 branch from b3207f5 to ff19835 Compare December 5, 2025 12:24
@End-rey End-rey requested a review from roman-khimov December 5, 2025 12:24
@End-rey
session: add a new session token v2
ff19835 
Session Token v2 solves the delegation, power of attorney, and chain-of-trust
problems. It enables:
- Account-based authority (direct or NNS-based indirect)
- Multi-account subjects (multiple entities can use same token)
- Multi-verb operations (GET, PUT, DELETE in single token)
- Delegation chains (verifiable like X.509 certificates)
- Indirect accounts (NeoFS Name Service resolution)

Refs #241.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@cthulhu-rider cthulhu-rider merged commit 2aa8bbe into master Dec 5, 2025
3 checks passed
@cthulhu-rider cthulhu-rider deleted the new-session-token-v2 branch December 5, 2025 12:44
@roman-khimov roman-khimov mentioned this pull request Dec 6, 2025
Closed
@End-rey End-rey mentioned this pull request Dec 11, 2025
Merged
carpawell added a commit to nspcc-dev/neofs-sdk-go that referenced this pull request Dec 19, 2025
@carpawell
Session token V2 (#750)
36305f2 
Refs nspcc-dev/neofs-api#350
@End-rey End-rey mentioned this pull request Dec 20, 2025
Merged
@roman-khimov roman-khimov mentioned this pull request Jan 19, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roman-khimov roman-khimov roman-khimov approved these changes

@cthulhu-rider cthulhu-rider cthulhu-rider approved these changes

@carpawell carpawell carpawell left review comments

Assignees

@End-rey End-rey

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@End-rey @roman-khimov @carpawell @cthulhu-rider