Skip to content

Session token V2 #3671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
roman-khimov merged 9 commits into from
Jan 30, 2026
Merged

Session token V2 #3671

roman-khimov merged 9 commits into from
Jan 30, 2026

Conversation

@End-rey
Copy link
Contributor

@End-rey End-rey commented Nov 7, 2025

@End-rey End-rey self-assigned this Nov 7, 2025
@End-rey End-rey force-pushed the new-session-token-v2 branch from 5bba446 to f730e2f Compare November 7, 2025 20:53
@codecov
Copy link

codecov bot commented Nov 7, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 18.12689% with 542 lines in your changes missing coverage. Please review.
✅ Project coverage is 25.56%. Comparing base (03bbf38) to head (8a4e2a0).
⚠️ Report is 13 commits behind head on master.

Files with missing lines Patch % Lines
cmd/neofs-cli/modules/object/util.go 0.00% 62 Missing ⚠️
cmd/neofs-cli/modules/session/create_v2.go 0.00% 58 Missing ⚠️
pkg/services/object/acl/v2/service.go 21.91% 56 Missing and 1 partial ⚠️
pkg/services/container/server.go 57.57% 31 Missing and 11 partials ⚠️
internal/crypto/tokens.go 0.00% 26 Missing ⚠️
pkg/services/object/search/util.go 0.00% 24 Missing ⚠️
pkg/services/object/get/exec.go 0.00% 21 Missing ⚠️
pkg/services/object/util/prm.go 0.00% 19 Missing ⚠️
pkg/innerring/processors/container/common.go 0.00% 18 Missing ⚠️
pkg/morph/client/netmap/epoch.go 0.00% 18 Missing ⚠️
... and 32 more
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3671      +/-   ##
==========================================
- Coverage   25.67%   25.56%   -0.12%     
==========================================
  Files         660      660              
  Lines       42177    42665     +488     
==========================================
+ Hits        10830    10907      +77     
- Misses      30363    30753     +390     
- Partials      984     1005      +21

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@End-rey End-rey force-pushed the new-session-token-v2 branch 4 times, most recently from 41ab8d0 to e66bf4b Compare November 18, 2025 12:30
@End-rey End-rey mentioned this pull request Nov 18, 2025
Merged
@End-rey End-rey force-pushed the new-session-token-v2 branch 2 times, most recently from eed01c8 to f9d051d Compare December 12, 2025 15:42
@End-rey End-rey force-pushed the new-session-token-v2 branch 2 times, most recently from 5b82365 to cea1b4d Compare December 20, 2025 23:05
This was referenced Dec 22, 2025
Merged
Merged
@End-rey End-rey force-pushed the new-session-token-v2 branch from cea1b4d to 2122d4d Compare December 22, 2025 18:37
@cthulhu-rider cthulhu-rider mentioned this pull request Dec 25, 2025
Merged
roman-khimov added a commit that referenced this pull request Dec 25, 2025
@roman-khimov
Cli session token v2 (#3750)
d4dafbb 
Part of #3671.
@End-rey End-rey force-pushed the new-session-token-v2 branch 5 times, most recently from eb453b4 to 1a9aab2 Compare December 26, 2025 16:11
@End-rey End-rey marked this pull request as ready for review December 26, 2025 16:26
@End-rey End-rey mentioned this pull request Dec 26, 2025
Closed
carpawell
carpawell reviewed Dec 30, 2025
View reviewed changes
@End-rey End-rey force-pushed the new-session-token-v2 branch from 1a9aab2 to b39cd77 Compare January 12, 2026 15:14
@End-rey End-rey mentioned this pull request Jan 12, 2026
Closed
@End-rey End-rey force-pushed the new-session-token-v2 branch from 9fb4519 to 04b1e68 Compare January 26, 2026 12:43
@End-rey
Copy link
Contributor Author

End-rey commented Jan 26, 2026

Added nns resolver to get, put, delete, and search services to verify v2 tokens as well as v1 tokens. Is this approach with a single nns resolver acceptable?

@End-rey End-rey requested a review from cthulhu-rider January 26, 2026 12:47
@End-rey End-rey force-pushed the new-session-token-v2 branch from 04b1e68 to 96a1be0 Compare January 27, 2026 15:03
@End-rey
Copy link
Contributor Author

End-rey commented Jan 27, 2026

Ref nspcc-dev/neofs-testcases#1266 (comment).
Issues 1 and 3 have been resolved. For problem 2, it is necessary to update the SDK afterwards nspcc-dev/neofs-sdk-go#773.

@End-rey End-rey force-pushed the new-session-token-v2 branch from 96a1be0 to 8384476 Compare January 28, 2026 11:38
carpawell
carpawell reviewed Jan 28, 2026
View reviewed changes
internal/crypto/tokens.go
Signature() (neofscrypto.Signature, bool)
Issuer() user.ID
Iat() time.Time
}](token T, fsChain HistoricN3ScriptRunner) error {
Copy link
Member

@carpawell carpawell Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why you choose a generic type for smth that is called TokenV2? can it be anything other than that?

Copy link
Contributor Author

@End-rey End-rey Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made like in #3778:

neofs-node/pkg/services/container/server.go

Line 383 in 2931333

if err := icrypto.AuthenticateTokenV2(sessionTokenV2WithEncodedBody{

@roman-khimov roman-khimov requested a review from Copilot January 28, 2026 16:30
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements support for Session Token V2, a new session token format for NeoFS, enabling multi-subject authorization, NNS name resolution, and token delegation chains. The implementation maintains backward compatibility with V1 tokens.

Changes:

  • Added Session Token V2 support across object and container services with multi-subject authorization and NNS resolution
  • Introduced chain time provider for time-based token validation using blockchain timestamps
  • Removed deprecated temporary session storage in favor of persistent storage only
  • Enhanced CLI with session create-v2 command and automatic server-side session key creation

Reviewed changes

Copilot reviewed 66 out of 67 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
internal/chaintime/chaintime.go New atomic chain time provider for V2 token time validation
internal/crypto/tokens.go, object.go, n3.go Added V2 token authentication with time-based verification
pkg/util/state/token.go Added FindTokenBySubjects for V2 multi-subject token lookup
pkg/util/state/session/temporary/* Removed temporary in-memory storage (deleted files)
pkg/services/object/* V2 token support in get, put, search, delete operations
pkg/services/container/server.go V2 token verification for container operations
pkg/services/object/acl/v2/service.go V2 token ACL checks with NNS resolver integration
cmd/neofs-cli/modules/session/create_v2.go CLI command to create V2 tokens with server-side keys
cmd/neofs-cli/modules/object/* Object commands updated for V2 token support
pkg/innerring/processors/container/* Inner ring V2 token processing
go.mod, go.sum Updated neofs-sdk-go dependency

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@End-rey End-rey force-pushed the new-session-token-v2 branch from 8384476 to cb51efe Compare January 28, 2026 18:16
@roman-khimov roman-khimov mentioned this pull request Jan 29, 2026
Open
@End-rey End-rey force-pushed the new-session-token-v2 branch from cb51efe to d384855 Compare January 29, 2026 11:13
@End-rey End-rey requested a review from carpawell January 29, 2026 11:17
@End-rey End-rey force-pushed the new-session-token-v2 branch from d384855 to 8d4a70c Compare January 29, 2026 14:13
@End-rey
state: drop unused temporary token store
be9d62c 
Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey
go.mod: update SDK
cd2e547 
Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey
crypto: add session token v2 authentication
d505e51 
Add invoke of netmap contract function `GetEpochBlockByTime`. Use it to verify
n3 scripts of session token v2.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey
cli/object: create session token V2 by default
dd90ab2 
Set subjects to default session token from `session-subjects` and
`session-subjects-nns` flags for put, delete and lock operations.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey
internal: add struct for managing chain timestamps
ebb2929 
Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey
core: add nns resolver
110ecc9 
Implementation of nns resolver for session token v2. Uses cache to optimize
requests.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey
ir: add new session token v2
86b71d2 
Check new session tokens in inner ring container processors.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey
container: add new session token v2
65d1f85 
Check container requests with new v2 session tokens, verify them using the nns
resolver. Use `OriginalIssuer` in container operation CLI commands.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey
object: add new session token v2
8a4e2a0 
Check object requests with new v2 session tokens, verify them using the nns
resolver. Pass the v2 session token through the slicer, set them to the object
session token, and authorize objects using the token.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey End-rey force-pushed the new-session-token-v2 branch from 8d4a70c to 8a4e2a0 Compare January 30, 2026 07:51
@roman-khimov roman-khimov merged commit 7ddced8 into master Jan 30, 2026
16 of 21 checks passed
@roman-khimov roman-khimov deleted the new-session-token-v2 branch January 30, 2026 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@roman-khimov roman-khimov roman-khimov approved these changes

@carpawell carpawell carpawell approved these changes

@cthulhu-rider cthulhu-rider cthulhu-rider approved these changes

Assignees

@End-rey End-rey

Labels

None yet

Projects

None yet

Milestone

v0.51.0

Development

Successfully merging this pull request may close these issues.

5 participants

@End-rey @roman-khimov @carpawell @cthulhu-rider