fix: Make session.user and session.groups accessible in modules and Express#2276
Open
cpsievert wants to merge 4 commits into
Open
fix: Make session.user and session.groups accessible in modules and Express#2276cpsievert wants to merge 4 commits into
cpsievert wants to merge 4 commits into
Conversation
…xpress SessionProxy and ExpressStubSession both lacked user/groups, causing AttributeError whenever app code read session.user outside of a root AppSession (i.e. inside any module or Express app). Beyond patching the missing attributes, user and groups are now abstract read-only properties on the Session ABC. AppSession exposes them via properties backed by private _user/_groups fields; SessionProxy delegates to _root_session; ExpressStubSession returns None. This prevents app code from mutating authenticated identity, which is derived from immutable HTTP credentials headers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
session.userandsession.groupsraiseAttributeErrorin any session context other than a rootAppSession— which means module sessions and Express apps both fail silently or crash when app code tries to read the authenticated user's identity.Minimal reproducible example (Express):
Module session:
The root cause was twofold:
ExpressStubSessionnever initialiseduserorgroupsSessionProxy(used for module sessions) never delegateduser/groupsto its root sessionFix
Beyond just adding the missing attributes, this exposed a design gap:
userandgroupswere plain mutable instance attributes onAppSession, which means nothing in the type system prevented app code from reassigning them. Since these represent authenticated identity derived from immutable HTTP headers, they should be read-only.userandgroupsare now abstract read-only properties on theSessionABC, implemented concretely across all three session types:AppSession: reads from private_user/_groupsbacking fields populated from credentials headers at connection timeSessionProxy: delegates to_root_session.user/_root_session.groupsvia property, so module sessions always reflect the root session's identity (including nested modules)ExpressStubSession: returnsNone— no real HTTP connection, so no credentials