security

func BindSession ¶ added in v0.29.0

func BindSession(
	session sessiontypes.MultiSession,
	identity *auth.Identity,
) (sessiontypes.MultiSession, error)

BindSession wraps a session with identity-binding validation. It writes the canonical binding into session metadata under MetadataKeyIdentityBinding and returns a decorator that validates the caller on every operation.

Whether the session is anonymous is derived from the identity via types.ShouldAllowAnonymous.

For bound sessions, the (iss, sub) tuple is extracted from identity.Claims. If the tuple cannot be extracted (missing claims, non-string claims, or invalid format), BindSession returns an error BEFORE writing anything to the session metadata — preserving the invariant that a session always has a valid MetadataKeyIdentityBinding value once written.

Returns an error if session is nil, or if a bound identity is required but no valid (iss, sub) binding can be produced.

func RestoreSessionBinding ¶ added in v0.29.0

func RestoreSessionBinding(
	session sessiontypes.MultiSession,
	storedBinding string,
) (sessiontypes.MultiSession, error)

RestoreSessionBinding recreates the session-binding decorator from a persisted binding string read out of session metadata. Use this when reconstructing a MultiSession after a pod restart or cross-pod failover.

This function is the symmetric counterpart of BindSession for the restore path. It is invoked by the session factory after RestoreSession deserializes the binding from session metadata. Unlike BindSession, it does NOT write metadata — the factory has already restored the metadata layer separately.

storedBinding must be either:

• binding.UnauthenticatedSentinel (the session was anonymous), or
• a valid bound binding (binding.Parse returns ok).

Anything else (empty string, malformed value) is rejected as corrupted metadata.