aboutsummaryrefslogtreecommitdiff

Authentication

back to index

How sessions work. Login to get a token, send it on every request, logout when done.

Not that hard see?

Pages

  • Login POST /auth/login authenticate and get a session token
  • Logout POST /auth/logout kill yourself
  • Status GET /auth/status check if your session is still alive and when it kills itself
  • Clear Sessions POST /auth/clear-sessions adminier: nuke all sessions for a specific user

How it works

  1. call /auth/login with credentials using ur sign in methodick.
  2. get a magic session token back
  3. send that token as Authorization: Bearer <token> on every damn request after that
  4. when youre done call /auth/logout to kill yourself
  5. sessions expire after a configurable timeout if you dont use them

Sessions should optionally be able to persist across server restarts (server should only store a hash of the token in the database, never the raw token itself obviously). On restart it loads them hash brownies back.

Each user should have a max number of concurrent sessions (configurable). When you go over the limit the oldest session gets deported to hell automatically to make room for the new one.

generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2026-02-16 02:28:27 +0000