archtechx/tenancy
1
0
Fork 0
mirror of https://github.com/archtechx/tenancy.git synced 2025-12-12 06:44:04 +00:00
Code Activity

Config: scope_sessions = true only with supported drivers, always throw

Browse source 
With the previous implementation, many users would use the default
config that enables scope_sessions. They would then deploy the app
to production and get the exception there since they use the
`database` session driver which is scoped by a different mechanism.

The idea behind throwing the exception only in prod was to make it
easy to use different setups locally without getting annoying
exceptions, while notifying users that a security feature they enabled
isn't running in production.

However, a better way of doing this is to just throw the exception
consistently in all setups and use a sane default for enabling the
scope_sessions setting based on the SESSION_DRIVER env var.

Users are always encouraged to read the session scoping docs to make
sure their session scoping configuration makes sense for their specific
setup, but this is a good balance for providing solid security out of
the box for most setups without requiring users to configure things
manually.
This commit is contained in:
Samuel Štancl 2025-11-05 14:53:07 +01:00
parent cab8ecebec
commit 510358b9be
No known key found for this signature in database
GPG key ID: BA146259A1E16C57
2 changed files with 2 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
assets/config.php
View file

@ -313,7 +313,7 @@ return [
* *
* Note: This will implicitly add your configured session store to the list of prefixed stores above. * Note: This will implicitly add your configured session store to the list of prefixed stores above.
*/ */
'scope_sessions' => true, 'scope_sessions' => in_array(env('SESSION_DRIVER'), ['redis', 'memcached', 'dynamodb', 'apc'], true),
'tag_base' => 'tenant', // This tag_base, followed by the tenant_id, will form a tag that will be applied on each cache call. 'tag_base' => 'tenant', // This tag_base, followed by the tenant_id, will form a tag that will be applied on each cache call.
], ],

9
src/Bootstrappers/CacheTenancyBootstrapper.php
View file

@ -102,14 +102,7 @@ class CacheTenancyBootstrapper implements TenancyBootstrapper
if ($this->config->get('tenancy.cache.scope_sessions', true)) { if ($this->config->get('tenancy.cache.scope_sessions', true)) {
// These are the only cache driven session backends (see Laravel's config/session.php) // These are the only cache driven session backends (see Laravel's config/session.php)
if (! in_array($this->config->get('session.driver'), ['redis', 'memcached', 'dynamodb', 'apc'], true)) { if (! in_array($this->config->get('session.driver'), ['redis', 'memcached', 'dynamodb', 'apc'], true)) {
if (app()->environment('production')) { throw new Exception('Session driver [' . $this->config->get('session.driver') . '] cannot be scoped by tenancy.cache.scope_sessions');
// We only throw this exception in prod to make configuration a little easier. Developers
// may have scope_sessions set to true while using different session drivers e.g. in tests.
// Previously we just silently ignored this, however since session scoping is of high importance
// in production, we make sure to notify the developer, by throwing an exception, that session
// scoping isn't happening as expected/configured due to an incompatible session driver.
throw new Exception('Session driver [' . $this->config->get('session.driver') . '] cannot be scoped by tenancy.cache.scope_sessions');
}
} else { } else {
// Scoping sessions using this bootstrapper implicitly adds the session store to $names // Scoping sessions using this bootstrapper implicitly adds the session store to $names
$names[] = $this->getSessionCacheStoreName(); $names[] = $this->getSessionCacheStoreName();