feat(session): add /api/v1/session/whoami modern PSR-15 demo route#105
Merged
Conversation
Manufactures a small standalone PSR-15 route that exercises the modern session middleware stack end-to-end. No retrofit of an existing route. Every existing controller in base/src either depends on HordeCore middleware (which calls Horde_Registry::appInit and populates globals) or reaches into globals directly. The whole point of the demo is to prove the modern stack works without that. Endpoint contract: GET /api/v1/session/whoami returns JSON with session id, authenticated flag, user id, session age, and per-app credential state map. An anonymous caller gets 401 by default. Setting $conf['session_whoami']['public']=true serves anonymous callers a populated body. The auth gate moves to the modern permissions stack once that lands. Stack: ErrorFilter -> JwtSessionLoader -> HordeSessionMiddleware -> SessionWhoamiController. No HordeCore. No AuthHordeSession. No Horde_Registry. Controller constructs an AuthCredentialStore per request bound to the session attribute the middleware put on the request. The DI-resolved AuthCredentialStore is keyed to whatever HordeSession HordeSessionFactory produced at request start, NOT the one the middleware loaded from the cookie. Local construction is the prototype-correct path. Future work refactors per-app state listing into AuthCredentialStore properly when a real consumer arrives. Plan: horde-development/strategies/modern-session-migration/ session-whoami-demo-plan-2026-06-11.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Manufactures a small standalone PSR-15 route that exercises the
modern session middleware stack end-to-end. No retrofit of an
existing route. Every existing controller in base/src either depends
on HordeCore middleware (which calls Horde_Registry::appInit and
populates globals) or reaches into globals directly. The whole
point of the demo is to prove the modern stack works without that.
Endpoint contract: GET /api/v1/session/whoami returns JSON with
session id, authenticated flag, user id, session age, and per-app
credential state map. An anonymous caller gets 401 by default.
Setting $conf['session_whoami']['public']=true serves anonymous
callers a populated body. The auth gate moves to the modern
permissions stack once that lands.
Stack: ErrorFilter -> JwtSessionLoader -> HordeSessionMiddleware
-> SessionWhoamiController. No HordeCore. No AuthHordeSession. No
Horde_Registry.
Controller constructs an AuthCredentialStore per request bound to
the session attribute the middleware put on the request. The
DI-resolved AuthCredentialStore is keyed to whatever HordeSession
HordeSessionFactory produced at request start, NOT the one the
middleware loaded from the cookie. Local construction is the
prototype-correct path. Future work refactors per-app state listing
into AuthCredentialStore properly when a real consumer arrives.
Plan: horde-development/strategies/modern-session-migration/
session-whoami-demo-plan-2026-06-11.md