Create 0003-store-credentials-in-session.md

digitalservicebund · Aug 28, 2024 · 77fdcef · 77fdcef
1 parent 0f4f600
commit 77fdcef
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/doc/adr/0003-store-credentials-in-session.md b/doc/adr/0003-store-credentials-in-session.md
@@ -0,0 +1,29 @@
+# 3. Store user credentials in session storage
+
+Date: 2024-08-28
+
+## Status
+
+Accepted
+
+## Context
+
+Track-Your-Time fetches the user data from several external APIs (Troi, Personio and NocoDB) that require authentication.
+
+Additionally, the initial login / authentication (making sure the Troi password is correct, fetching the Personio auth token) takes some time.
+
+It is common practice to have long-lived sessions in web applications to avoid having to re-authenticate the user frequently.
+
+## Decision
+
+In the `login` route we will store the user credentials in session storage on the server after a successful login.
+
+We will use Remixs [sessions](https://remix.run/docs/en/main/utils/sessions) to store the credentials.
+
+We will keep the session alive for a month.
+
+## Consequences
+
+We will make sure that the required security measures are in place to prevent session hijacking, i.e. sealing the secrets, using correct CSP headers, etc.
+
+We will provide a logout route that will destroy the session.