Skip to content

feat(session): add /api/v1/session/whoami modern PSR-15 demo route#105

Merged
ralflang merged 1 commit into
FRAMEWORK_6_0from
feat/session-whoami-demo
Jun 11, 2026
Merged

feat(session): add /api/v1/session/whoami modern PSR-15 demo route#105
ralflang merged 1 commit into
FRAMEWORK_6_0from
feat/session-whoami-demo

Conversation

@ralflang

Copy link
Copy Markdown
Member

Manufactures a small standalone PSR-15 route that exercises the
modern session middleware stack end-to-end. No retrofit of an
existing route. Every existing controller in base/src either depends
on HordeCore middleware (which calls Horde_Registry::appInit and
populates globals) or reaches into globals directly. The whole
point of the demo is to prove the modern stack works without that.

Endpoint contract: GET /api/v1/session/whoami returns JSON with
session id, authenticated flag, user id, session age, and per-app
credential state map. An anonymous caller gets 401 by default.
Setting $conf['session_whoami']['public']=true serves anonymous
callers a populated body. The auth gate moves to the modern
permissions stack once that lands.

Stack: ErrorFilter -> JwtSessionLoader -> HordeSessionMiddleware
-> SessionWhoamiController. No HordeCore. No AuthHordeSession. No
Horde_Registry.

Controller constructs an AuthCredentialStore per request bound to
the session attribute the middleware put on the request. The
DI-resolved AuthCredentialStore is keyed to whatever HordeSession
HordeSessionFactory produced at request start, NOT the one the
middleware loaded from the cookie. Local construction is the
prototype-correct path. Future work refactors per-app state listing
into AuthCredentialStore properly when a real consumer arrives.

Plan: horde-development/strategies/modern-session-migration/
session-whoami-demo-plan-2026-06-11.md

Manufactures a small standalone PSR-15 route that exercises the
modern session middleware stack end-to-end. No retrofit of an
existing route. Every existing controller in base/src either depends
on HordeCore middleware (which calls Horde_Registry::appInit and
populates globals) or reaches into globals directly. The whole
point of the demo is to prove the modern stack works without that.

Endpoint contract: GET /api/v1/session/whoami returns JSON with
session id, authenticated flag, user id, session age, and per-app
credential state map. An anonymous caller gets 401 by default.
Setting $conf['session_whoami']['public']=true serves anonymous
callers a populated body. The auth gate moves to the modern
permissions stack once that lands.

Stack: ErrorFilter -> JwtSessionLoader -> HordeSessionMiddleware
-> SessionWhoamiController. No HordeCore. No AuthHordeSession. No
Horde_Registry.

Controller constructs an AuthCredentialStore per request bound to
the session attribute the middleware put on the request. The
DI-resolved AuthCredentialStore is keyed to whatever HordeSession
HordeSessionFactory produced at request start, NOT the one the
middleware loaded from the cookie. Local construction is the
prototype-correct path. Future work refactors per-app state listing
into AuthCredentialStore properly when a real consumer arrives.

Plan: horde-development/strategies/modern-session-migration/
session-whoami-demo-plan-2026-06-11.md
@ralflang ralflang merged commit 05c6c61 into FRAMEWORK_6_0 Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant