feat: pluggable HTTP session store — JDBC and Redis backends for multi-pod deployments

coopernetes · coopernetes · commit d9dabb78255d · 2026-04-12T10:27:05.000-04:00
Adds server.session-store config (none | jdbc | redis). In-memory sessions (none) remain the default so existing single-instance deployments are unaffected. Set session-store: jdbc to persist sessions to the existing JDBC database with zero new infrastructure; set session-store: redis to point at an in-cluster Redis/Valkey pod. Session store is wired via Spring Session 4.0.2. The SessionRepositoryFilter is registered in the Jetty filter chain ahead of Spring Security so that distributed sessions are in place before authentication state is read. JDBC backend creates SPRING_SESSION / SPRING_SESSION_ATTRIBUTES tables via DatabaseMigrator V4. V3 (email unique constraint, previously on disk but unregistered) is also added to the migration registry. Redis connection configured via server.redis.{host,port,password,ssl}. closes #136
diff --git a/build.gradle b/build.gradle
@@ -35,6 +35,7 @@ ext {
     // Spring
     springVersion = '7.0.6'
     springSecurityVersion = '7.0.4'
+    springSessionVersion = '4.0.2'
 
     // YAML
     snakeyamlVersion = '2.2'
diff --git a/git-proxy-java-core/src/main/java/org/finos/gitproxy/db/jdbc/DatabaseMigrator.java b/git-proxy-java-core/src/main/java/org/finos/gitproxy/db/jdbc/DatabaseMigrator.java
@@ -38,7 +38,9 @@ private record Migration(String version, String description, String resource, bo
             new Migration("1", "initial schema", "db/migration/V1__initial_schema.sql", false),
             new Migration("2", "provider id format", "db/migration/V2__provider_id_format.sql", false),
             new Migration(
-                    "2.1", "widen provider columns", "db/migration-postgresql/V2_1__widen_provider_columns.sql", true));
+                    "2.1", "widen provider columns", "db/migration-postgresql/V2_1__widen_provider_columns.sql", true),
+            new Migration("3", "email unique constraint", "db/migration/V3__email_unique.sql", false),
+            new Migration("4", "spring session tables", "db/migration/V4__spring_session.sql", false));
 
     // ---------------------------------------------------------------------------
 
diff --git a/git-proxy-java-core/src/main/resources/db/migration/V4__spring_session.sql b/git-proxy-java-core/src/main/resources/db/migration/V4__spring_session.sql
@@ -0,0 +1,28 @@
+-- Spring Session JDBC store tables.
+-- Created unconditionally on all JDBC backends so the schema is consistent regardless of whether
+-- server.session-store=jdbc is currently configured. Tables are unused when another store is selected.
+-- BYTEA is compatible with both PostgreSQL and H2 2.x (which accepts it as a BINARY VARYING alias).
+
+CREATE TABLE IF NOT EXISTS SPRING_SESSION (
+    PRIMARY_ID            CHAR(36)     NOT NULL,
+    SESSION_ID            CHAR(36)     NOT NULL,
+    CREATION_TIME         BIGINT       NOT NULL,
+    LAST_ACCESS_TIME      BIGINT       NOT NULL,
+    MAX_INACTIVE_INTERVAL INT          NOT NULL,
+    EXPIRY_TIME           BIGINT       NOT NULL,
+    PRINCIPAL_NAME        VARCHAR(100) DEFAULT NULL,
+    CONSTRAINT SPRING_SESSION_PK PRIMARY KEY (PRIMARY_ID)
+);
+
+CREATE UNIQUE INDEX IF NOT EXISTS SPRING_SESSION_IX1 ON SPRING_SESSION (SESSION_ID);
+CREATE INDEX IF NOT EXISTS SPRING_SESSION_IX2 ON SPRING_SESSION (EXPIRY_TIME);
+CREATE INDEX IF NOT EXISTS SPRING_SESSION_IX3 ON SPRING_SESSION (PRINCIPAL_NAME);
+
+CREATE TABLE IF NOT EXISTS SPRING_SESSION_ATTRIBUTES (
+    SESSION_PRIMARY_ID CHAR(36)     NOT NULL,
+    ATTRIBUTE_NAME     VARCHAR(200) NOT NULL,
+    ATTRIBUTE_BYTES    BYTEA        NOT NULL,
+    CONSTRAINT SPRING_SESSION_ATTRIBUTES_PK PRIMARY KEY (SESSION_PRIMARY_ID, ATTRIBUTE_NAME),
+    CONSTRAINT SPRING_SESSION_ATTRIBUTES_FK FOREIGN KEY (SESSION_PRIMARY_ID)
+        REFERENCES SPRING_SESSION (PRIMARY_ID) ON DELETE CASCADE
+);
diff --git a/git-proxy-java-dashboard/build.gradle b/git-proxy-java-dashboard/build.gradle
@@ -148,6 +148,10 @@ dependencies {
     implementation "org.springframework.security:spring-security-oauth2-client:${springSecurityVersion}"
     implementation "org.springframework.security:spring-security-oauth2-jose:${springSecurityVersion}"
 
+    // Spring Session — JDBC and Redis backends for distributed session management
+    implementation "org.springframework.session:spring-session-jdbc:${springSessionVersion}"
+    implementation "org.springframework.session:spring-session-data-redis:${springSessionVersion}"
+
     // Jackson JSON processing
     implementation "tools.jackson.core:jackson-databind"
 
diff --git a/git-proxy-java-dashboard/src/main/java/org/finos/gitproxy/dashboard/GitProxyWithDashboardApplication.java b/git-proxy-java-dashboard/src/main/java/org/finos/gitproxy/dashboard/GitProxyWithDashboardApplication.java
@@ -97,8 +97,16 @@ public void lifeCycleStopping(LifeCycle event) {
         });
 
         // Spring MVC DispatcherServlet at /* - git-specific paths take precedence per servlet spec
+        var jdbcDataSource = configBuilder.getJdbcDataSourceOrNull();
         registerSpringServlet(
-                context, ctx, providerConfig, gitProxyConfig, configHolder, liveConfigLoader, repoRegistry);
+                context,
+                ctx,
+                providerConfig,
+                gitProxyConfig,
+                configHolder,
+                liveConfigLoader,
+                repoRegistry,
+                jdbcDataSource);
 
         server.setHandler(context);
         server.start();
@@ -118,9 +126,10 @@ private static void registerSpringServlet(
             GitProxyConfig gitProxyConfig,
             ConfigHolder configHolder,
             LiveConfigLoader liveConfigLoader,
-            RepoRegistry repoRegistry) {
+            RepoRegistry repoRegistry,
+            javax.sql.DataSource jdbcDataSource) {
         var appContext = new AnnotationConfigWebApplicationContext();
-        appContext.register(SpringWebConfig.class, SecurityConfig.class);
+        appContext.register(SpringWebConfig.class, SecurityConfig.class, SessionStoreConfig.class);
         appContext.addBeanFactoryPostProcessor(bf -> {
             bf.registerSingleton("pushStore", ctx.pushStore());
             bf.registerSingleton("providers", providers);
@@ -133,6 +142,11 @@ private static void registerSpringServlet(
             if (ctx.repoPermissionService() != null) {
                 bf.registerSingleton("repoPermissionService", ctx.repoPermissionService());
             }
+            // Expose the JDBC DataSource as a Spring bean so SessionStoreConfig can inject it
+            // when session-store=jdbc. Null for MongoDB deployments (no JDBC DataSource available).
+            if (jdbcDataSource != null) {
+                bf.registerSingleton("dataSource", jdbcDataSource);
+            }
         });
 
         // Refresh the Spring context inside a ServletContextListener so the ServletContext is set
@@ -157,6 +171,17 @@ public void contextDestroyed(ServletContextEvent sce) {
         holder.setInitOrder(1);
         context.addServlet(holder, "/*");
 
+        // Spring Session filter — must be registered before Spring Security so that the distributed
+        // session store is in place before Security reads authentication state from the session.
+        // The filter is always wired (even for session-store=none, where it uses an in-memory store
+        // equivalent to the default Jetty session behaviour).
+        var sessionFilter = new FilterHolder(new DelegatingFilterProxy("springSessionRepositoryFilter", appContext));
+        sessionFilter.setName("springSessionRepositoryFilter");
+        sessionFilter.setAsyncSupported(true);
+        for (String path : new String[] {"/api/*", "/login", "/logout", "/", "/oauth2/*", "/login/oauth2/*"}) {
+            context.addFilter(sessionFilter, path, EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR));
+        }
+
         // Wire Spring Security filter chain into Jetty. Register only on the paths Spring Security
         // actually protects — never on /push/* or /proxy/* to avoid interfering with async git streaming.
         // /oauth2/* and /login/oauth2/* are needed for the OIDC authorization code flow; they are
diff --git a/git-proxy-java-dashboard/src/main/java/org/finos/gitproxy/dashboard/SessionStoreConfig.java b/git-proxy-java-dashboard/src/main/java/org/finos/gitproxy/dashboard/SessionStoreConfig.java
@@ -0,0 +1,121 @@
+package org.finos.gitproxy.dashboard;
+
+import jakarta.servlet.Filter;
+import java.time.Duration;
+import java.util.concurrent.ConcurrentHashMap;
+import javax.sql.DataSource;
+import lombok.extern.slf4j.Slf4j;
+import org.finos.gitproxy.jetty.config.GitProxyConfig;
+import org.finos.gitproxy.jetty.config.ServerConfig.RedisConfig;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.redis.connection.RedisStandaloneConfiguration;
+import org.springframework.data.redis.connection.lettuce.LettuceClientConfiguration;
+import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.data.redis.serializer.RedisSerializer;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.datasource.DataSourceTransactionManager;
+import org.springframework.session.MapSessionRepository;
+import org.springframework.session.SessionRepository;
+import org.springframework.session.data.redis.RedisIndexedSessionRepository;
+import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
+import org.springframework.session.web.http.SessionRepositoryFilter;
+import org.springframework.transaction.support.TransactionTemplate;
+
+/**
+ * Wires the HTTP session store based on {@code server.session-store} in git-proxy.yml.
+ *
+ * <ul>
+ *   <li>{@code none} (default) — in-memory {@link MapSessionRepository}; sessions are lost on restart
+ *   <li>{@code jdbc} — {@link JdbcIndexedSessionRepository}; persisted to the configured JDBC database
+ *   <li>{@code redis} — {@link RedisIndexedSessionRepository}; persisted to Redis/Valkey
+ * </ul>
+ *
+ * <p>The {@code springSessionRepositoryFilter} bean is always registered so that
+ * {@link GitProxyWithDashboardApplication} can unconditionally wire it into the Jetty filter chain ahead of Spring
+ * Security.
+ */
+@Slf4j
+@Configuration
+public class SessionStoreConfig {
+
+    @Autowired
+    private GitProxyConfig gitProxyConfig;
+
+    /** Injected only for JDBC backends — null for MongoDB deployments. */
+    @Autowired(required = false)
+    private DataSource dataSource;
+
+    @Bean
+    @SuppressWarnings("unchecked")
+    public SessionRepository<?> sessionRepository() {
+        String store = gitProxyConfig.getServer().getSessionStore();
+        Duration timeout = Duration.ofSeconds(gitProxyConfig.getAuth().getSessionTimeoutSeconds());
+        return switch (store) {
+            case "jdbc" -> buildJdbc(timeout);
+            case "redis" -> buildRedis(timeout);
+            default -> {
+                log.info("Session store: in-memory (server.session-store=none). Sessions will not survive restarts.");
+                var repo = new MapSessionRepository(new ConcurrentHashMap<>());
+                repo.setDefaultMaxInactiveInterval(timeout);
+                yield repo;
+            }
+        };
+    }
+
+    @Bean(name = "springSessionRepositoryFilter")
+    @SuppressWarnings({"rawtypes", "unchecked"})
+    public Filter springSessionRepositoryFilter(SessionRepository sessionRepository) {
+        return new SessionRepositoryFilter<>(sessionRepository);
+    }
+
+    // ── JDBC ─────────────────────────────────────────────────────────────────
+
+    private JdbcIndexedSessionRepository buildJdbc(Duration timeout) {
+        if (dataSource == null) {
+            throw new IllegalStateException(
+                    "server.session-store=jdbc requires a JDBC database (h2-file, h2-mem, or postgres)."
+                            + " Current database.type is mongo — use session-store: none or provision a JDBC database.");
+        }
+        log.info("Session store: JDBC (server.session-store=jdbc)");
+        var jdbcOps = new JdbcTemplate(dataSource);
+        var txOps = new TransactionTemplate(new DataSourceTransactionManager(dataSource));
+        var repo = new JdbcIndexedSessionRepository(jdbcOps, txOps);
+        repo.setDefaultMaxInactiveInterval(timeout);
+        return repo;
+    }
+
+    // ── Redis ─────────────────────────────────────────────────────────────────
+
+    private RedisIndexedSessionRepository buildRedis(Duration timeout) {
+        RedisConfig redisCfg = gitProxyConfig.getServer().getRedis();
+        log.info(
+                "Session store: Redis (server.session-store=redis, host={}:{})",
+                redisCfg.getHost(),
+                redisCfg.getPort());
+
+        var standaloneConfig = new RedisStandaloneConfiguration(redisCfg.getHost(), redisCfg.getPort());
+        if (!redisCfg.getPassword().isBlank()) {
+            standaloneConfig.setPassword(redisCfg.getPassword());
+        }
+
+        LettuceClientConfiguration clientConfig = redisCfg.isSsl()
+                ? LettuceClientConfiguration.builder().useSsl().build()
+                : LettuceClientConfiguration.defaultConfiguration();
+
+        var factory = new LettuceConnectionFactory(standaloneConfig, clientConfig);
+        factory.afterPropertiesSet();
+
+        var template = new RedisTemplate<String, Object>();
+        template.setConnectionFactory(factory);
+        template.setKeySerializer(RedisSerializer.string());
+        template.setHashKeySerializer(RedisSerializer.string());
+        template.afterPropertiesSet();
+
+        var repo = new RedisIndexedSessionRepository(template);
+        repo.setDefaultMaxInactiveInterval(timeout);
+        return repo;
+    }
+}
diff --git a/git-proxy-java-server/src/main/java/org/finos/gitproxy/jetty/config/JettyConfigurationBuilder.java b/git-proxy-java-server/src/main/java/org/finos/gitproxy/jetty/config/JettyConfigurationBuilder.java
@@ -665,6 +665,16 @@ private MongoStoreFactory requireMongoStoreFactory() {
         return cachedMongoStoreFactory;
     }
 
+    /**
+     * Returns the JDBC {@link DataSource} for JDBC-backed database types ({@code h2-mem}, {@code h2-file},
+     * {@code postgres}). Returns {@code null} for {@code mongo} — callers that need a DataSource for features like
+     * session persistence should check for null and either skip or fail gracefully.
+     */
+    public DataSource getJdbcDataSourceOrNull() {
+        if ("mongo".equals(config.getDatabase().getType())) return null;
+        return requireJdbcDataSource();
+    }
+
     private DataSource requireJdbcDataSource() {
         if (cachedDataSource == null) {
             DatabaseConfig db = config.getDatabase();
diff --git a/git-proxy-java-server/src/main/java/org/finos/gitproxy/jetty/config/ServerConfig.java b/git-proxy-java-server/src/main/java/org/finos/gitproxy/jetty/config/ServerConfig.java
@@ -68,4 +68,31 @@ public class ServerConfig {
 
     /** TLS configuration for the server listener and upstream trust. Omit entirely to use plain HTTP. */
     private TlsConfig tls = new TlsConfig();
+
+    /**
+     * HTTP session persistence backend. Values:
+     *
+     * <ul>
+     *   <li>{@code none} (default) — in-memory sessions; sessions are lost on restart and not shared across instances
+     *   <li>{@code jdbc} — persisted to the configured JDBC database ({@code h2-file} or {@code postgres}); zero new
+     *       infrastructure required, uses the same DataSource as the push store
+     *   <li>{@code redis} — persisted to a Redis or Valkey instance; configure connection via {@code server.redis.*}
+     * </ul>
+     *
+     * <p>Use {@code jdbc} or {@code redis} when running multiple instances sharing a database so that authenticated
+     * sessions survive pod restarts and are visible across all instances.
+     */
+    private String sessionStore = "none";
+
+    /** Redis connection settings — used when {@code server.session-store: redis}. */
+    private RedisConfig redis = new RedisConfig();
+
+    /** Binds the {@code server.redis:} block. */
+    @Data
+    public static class RedisConfig {
+        private String host = "localhost";
+        private int port = 6379;
+        private String password = "";
+        private boolean ssl = false;
+    }
 }
diff --git a/git-proxy-java-server/src/main/resources/git-proxy.yml b/git-proxy-java-server/src/main/resources/git-proxy.yml
@@ -10,6 +10,21 @@ server:
   # Sends a "." progress packet periodically to prevent idle-timeout disconnects during long validation steps
   # (e.g. secret scanning, approval polling). Set to 0 to disable.
   heartbeat-interval-seconds: 10
+  # HTTP session persistence backend. Options:
+  #   none   — in-memory sessions (default); sessions are lost on restart and not shared across instances
+  #   jdbc   — persisted to the configured JDBC database (h2-file or postgres); no new infrastructure needed
+  #   redis  — persisted to a Redis or Valkey instance; configure connection via server.redis.*
+  # Use jdbc or redis when running multiple instances sharing a database so that authenticated sessions
+  # survive pod restarts and remain valid across all pods.
+  # session-store: none
+
+  # Redis connection — required when session-store: redis
+  # redis:
+  #   host: redis.cluster.local
+  #   port: 6379
+  #   password: ""
+  #   ssl: false
+
   # Origins allowed to make cross-origin requests to the dashboard REST API.
   # Required when the frontend is served from a different hostname than the backend (e.g. behind a load balancer).
   # Default (empty): same-origin only. Override per-deployment in git-proxy-local.yml or via
