-
Notifications
You must be signed in to change notification settings - Fork 133
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f47f8b9
commit 8ff4032
Showing
1 changed file
with
15 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -240,4 +240,18 @@ curl -X POST \ | |
| -H "Accept: application/json" \ | ||
| -d '{"NS":"test", "DB":"test", "SC":"user", "email":"[email protected]", "password":"VerySecurePassword!"}' \ | ||
| http://localhost:8000/signin | ||
| ``` | ||
| ``` | ||
|
|
||
| ## Sessions | ||
|
|
||
| Whenever authentication is performed with any kind of user against SurrealDB, a session is established between the client and the SurrealDB server with which the connection was established. These sessions persist on the server for the duration of the connection, whether it is a single request through the [HTTP REST API](/docs/surrealdb/integration/http) or through multiple requests in the same connection using the [WebSocket API](/docs/surrealdb/integration/rpc) and any of the [SDKs](/docs/surrealdb/integration/sdks/) that leverage it. | ||
|
|
||
| ### Expiration <l className='purple'>Since 1.3.0</l> | ||
|
|
||
| Authenticated sessions established using a token (i.e. JWT) will remain authenticated for as long as that token is valid according to its `exp` claim. Whenever a token that was used to establish a session expires, so will the session. This is especially relevant in the case of [WebSocket](/docs/surrealdb/integration/rpc) connections such as those used by the [SurrealDB SDKs](/docs/surrealdb/integration/sdks/). Expired sessions can no longer be used to call authenticated methods and doing so will result in a specific error indicating that the session has expired. SurrealQL can be used to check the expiration of the active session by running `SELECT exp FROM $session`, which show the Unix time when the session will expire or `NONE` in the case that the session does not expire. | ||
|
|
||
| Clients can reuse a connection with an expired session to refresh the session using a new token that has not yet expired. This includes calling the [`signin`](/docs/surrealdb/integration/rpc#signin) method to obtain a new token with credentials, which will replace the expired session token, or calling the [`authenticate`](/docs/surrealdb/integration/rpc#authenticate) method to replace the expired session token with a new token. | ||
|
|
||
| Although SurrealDB sessions will always eventually expire when a token containing an expiration claim is used to authenticate, SurrealDB will not set a session expiration in sessions established when authenticating as a system user with credentials. This is due to the fact that all tokens issued by SurrealDB have a default duration of 24 hours, which cannot currently be modified in the case of system users. However, if a system user authenticates using a token, the expiration of the token will be used in the session regardless of the type of user and whether this token was issued by SurrealDB or a third party. | ||
|
|
||
| In summary, session expiration will always match the token expiration when authenticating with a token. When authenticating with credentials, session expiration will match the scope session duration defined via the `DURATION` clause in [`DEFINE SCOPE`](/docs/surrealdb/surrealql/statements/define/scope) in the case of scope users. In the case of authenticating as a system user with credentials, sessions will currently not expire. | ||