session: add a new session token v2 #350
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
End-rey
requested review from
carpawell,
cthulhu-rider and
roman-khimov
as code owners
End-rey
force-pushed
the
new-session-token-v2
branch
from
e65a42a to
11f58a6
Compare
carpawell
reviewed
Oct 21, 2025
session/types.proto
Outdated
| // Not valid before epoch, the first epoch when token is valid. | ||
| uint64 nbf = 2 [json_name = "nbf"]; | ||
|
|
||
| // Issued at Epoch |
Member
There was a problem hiding this comment.
Suggested change
| // Issued at Epoch | |
| // Issued at epoch. |
Member
There was a problem hiding this comment.
oh, it was just copied, ok. but still dot at the end would look better according to other fields
session/types.proto
Outdated
| // Account represents an identity in NeoFS. | ||
| // It can be either direct (OwnerID) or indirect (NNS domain). | ||
| message Account { | ||
| // Account identifier |
Member
There was a problem hiding this comment.
most of the time, we add dots at the end of comments in this repo
session/types.proto
Outdated
|
|
||
| // Account represents an identity in NeoFS. | ||
| // It can be either direct (OwnerID) or indirect (NNS domain). | ||
| message Account { |
Member
There was a problem hiding this comment.
are we sure such a general entity should be described in the session package?
Author
There was a problem hiding this comment.
Member
There was a problem hiding this comment.
it would look better there for me, yes
End-rey
force-pushed
the
new-session-token-v2
branch
from
11f58a6 to
694d30d
Compare
End-rey
force-pushed
the
new-session-token-v2
branch
2 times, most recently
from
b967342 to
7a51333
Compare
session/types.proto
Outdated
| ObjectSessionContextV2 object = 6 [json_name = "object"]; | ||
|
|
||
| // ContainerService authorization context. | ||
| ContainerSessionContextV2 container = 7 [json_name = "container"]; |
Member
There was a problem hiding this comment.
Maybe we can have a single set of object/container operations? I'm not sure what this separation buys us.
End-rey
force-pushed
the
new-session-token-v2
branch
from
7a51333 to
45af0fd
Compare
End-rey
force-pushed
the
new-session-token-v2
branch
2 times, most recently
from
d863037 to
f7f489d
Compare
This was referenced Nov 1, 2025
End-rey
force-pushed
the
new-session-token-v2
branch
from
f7f489d to
a4dfb59
Compare
Session Token v2 solves the delegation, power of attorney, and chain-of-trust problems. It enables: - Account-based authority (direct or NNS-based indirect) - Multi-account subjects (multiple entities can use same token) - Multi-verb operations (GET, PUT, DELETE in single token) - Delegation chains (verifiable like X.509 certificates) - Indirect accounts (NeoFS Name Service resolution) Refs #241. Signed-off-by: Andrey Butusov <andrey@nspcc.io>
Member
roman-khimov
left a comment
roman-khimov
left a comment
There was a problem hiding this comment.
But it looks good, pretty simple but powerful structure.
| // Lifetime parameters of the token. Field names taken from rfc7519. | ||
| message TokenLifetime { | ||
| // Expiration epoch, the last epoch when token is valid. | ||
| // For SessionTokenV2 this is the last valid Unix timestamp. |
Member
There was a problem hiding this comment.
- It's very different in semantics.
- Compatibility warning fires for the removal of old
TokenLifetime, so we can keep it as is and add this new one for v2.
| // NeoFS Name Service. The name must be a valid DNS-like domain name | ||
| // (e.g., "example.neofs") that is registered in the NNS contract on | ||
| // the Neo blockchain. The NNS record should contain a string record with | ||
| // the corresponding OwnerID value. |
| // Account that issued this token (who signed it). | ||
| Target issuer = 3 [json_name = "issuer"]; | ||
|
|
||
| // Accounts authorized by this token (who can use it). |
Member
There was a problem hiding this comment.
We need some limits for all repeated fields.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refs #241.