feat(FTL-17164): re-generate session id after successful authentication

affinidi-messaging-mediator/src/database/session.rs

@@ -108,7 +108,7 @@
 impl DatabaseHandler {
     /// Creates a new session in the database
     /// Typically called when sending the initial challenge to the client
     pub async fn create_session(&self, session: &Session) -> Result<(), MediatorError> {
         let mut con = self.get_async_connection().await?;
 
         let sid = format!("SESSION:{}", session.session_id);
@@ -164,29 +164,37 @@
     /// Updates the state, and the expiry time
     pub async fn update_session_authenticated(
         &self,
-        session_id: &str,
+        old_session_id: &str,
+        new_session_id: &str,
     ) -> Result<(), MediatorError> {
         let mut con = self.get_async_connection().await?;
 
-        let sid = format!("SESSION:{}", session_id);
+        let old_sid = format!("SESSION:{}", old_session_id);
+        let new_sid = format!("SESSION:{}", new_session_id);
 
         deadpool_redis::redis::pipe()
             .atomic()
+            .cmd("RENAME")
+            .arg(&old_sid)
+            .arg(&new_sid)
             .cmd("HSET")
-            .arg(&sid)
+            .arg(&new_sid)
             .arg("state")
             .arg(SessionState::Authenticated.to_string())
             .cmd("HINCRBY")
             .arg("GLOBAL")
             .arg("SESSIONS_SUCCESS")
             .arg(1)
-            .expire(&sid, 86400)
+            .expire(&new_sid, 86400)
             .query_async(&mut con)
             .await
             .map_err(|err| {
                 MediatorError::SessionError(
-                    session_id.into(),
-                    format!("tried to retrieve session({}). Error: {}", session_id, err),
+                    old_session_id.into(),
+                    format!(
+                        "tried to retrieve session({}). Error: {}",
+                        old_session_id, err
+                    ),
                 )
             })?;
 

affinidi-messaging-mediator/src/handlers/authenticate.rs

@@ -1,15 +1,11 @@
-use std::{net::SocketAddr, time::SystemTime};
-
 use affinidi_messaging_didcomm::{envelope::MetaEnvelope, Message, UnpackOptions};
 use affinidi_messaging_sdk::messages::GenericDataStruct;
-use axum::{
-    extract::{ConnectInfo, State},
-    Json,
-};
+use axum::{extract::State, Json};
 use http::StatusCode;
 use jsonwebtoken::{encode, Header};
 use rand::{distributions::Alphanumeric, Rng};
 use serde::{Deserialize, Serialize};
+use std::time::SystemTime;
 use tracing::{debug, info, warn};
 
 use crate::{
@@ -169,7 +165,7 @@ pub async fn authentication_response(
     })?;
 
     // Retrieve the session info from the database
-    let session = state.database.get_session(&challenge.session_id).await?;
+    let mut session = state.database.get_session(&challenge.session_id).await?;
 
     // check that the DID matches from what was given for the initial challenge request to what was used for the message response
     if let Some(from_did) = msg.from {
@@ -203,6 +199,8 @@ pub async fn authentication_response(
         )
         .into());
     }
+    let old_sid = session.session_id;
+    session.session_id = create_random_string(12);
 
     // Passed all the checks, now create the JWT tokens
     let access_claims = SessionClaims {
@@ -253,7 +251,7 @@ pub async fn authentication_response(
     // Set the session state to Authorized
     state
         .database
-        .update_session_authenticated(&session.session_id)
+        .update_session_authenticated(&old_sid, &session.session_id)
         .await?;
 
     info!(