feat(core): modern session/CSRF stack — NoopController, middleware, meta renderer, Bearer support#176
Merged
Merged
Conversation
…tting telemetry headers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Five small commits adding the server-side substrate for a standalone modern session/CSRF API the JS side can talk to without going through HordeCore/HordeMobile.
Horde\Core\Controller\NoopController— generic 204 terminal handler for routes whose response is fully produced by middleware. Reusable for ping, csrf-refresh, readiness, future CORS preflight, etc.Horde\Core\Middleware\JwtSessionLoader— extended to also handleAuthorization: Beareraccess tokens (resolvingrefresh_jticlaim) alongside its existinghorde_jwt_refreshcookie path. Bearer wins on dual presence with an info log.Horde\Core\Middleware\CsrfRotationMiddleware— emitsX-Csrf-Tokenresponse header bound to the request's HordeSession.Horde\Core\Middleware\SessionLifetimeMiddleware— touches_last_seenslot to refresh backend TTL, schedules regeneration when deadline past, emitsX-Next-Ping+X-Session-Tsresponse headers.Horde\Core\PageOutput\SessionApiMetaRenderer— renders the bootstrap<meta name="session-api">and<meta name="csrf-api">tags fromRegistryState+Token+ the current request. LegacyHorde_PageOutput::outputMetaTags()now calls it before emitting accumulated tags so existing pages get the bootstrap automatically.Strategy doc:
horde-development/strategies/session-to-jwt/canonical-session-auth-csrf-strategy-2026-06-26.md§4.2.Companion routes + JS client land in horde/base.