1.9 KiB
1.9 KiB
Phase 5 Runbook (Session Reuse Prototype)
This runbook starts a minimal k_server + k_proxy prototype for session reuse testing.
What This Prototype Covers
k_proxycreates short-lived sessions.- Session creation uses a card-presence check (
fido2_probe.py --json) as the current auth gate. - Valid sessions can repeatedly access a protected
k_servercounter endpoint without re-running card auth each request. - Session status and logout/invalidation paths are implemented.
Start Services
In k_server VM:
python3 /home/user/chromecard/k_server_app.py --host 127.0.0.1 --port 8780 --proxy-token dev-proxy-token
In k_proxy VM:
python3 /home/user/chromecard/k_proxy_app.py \
--host 127.0.0.1 \
--port 8770 \
--session-ttl 300 \
--server-base-url http://127.0.0.1:8780 \
--proxy-token dev-proxy-token
Test Flow
Create a session (runs auth gate once):
curl -sS -X POST http://127.0.0.1:8770/session/login \
-H 'Content-Type: application/json' \
-d '{"username":"alice"}'
Copy session_token from response, then:
TOKEN='<paste-token>'
Check session:
curl -sS -X POST http://127.0.0.1:8770/session/status \
-H "Authorization: Bearer $TOKEN"
Call protected resource multiple times (should not require new login):
curl -sS -X POST http://127.0.0.1:8770/resource/counter \
-H "Authorization: Bearer $TOKEN"
curl -sS -X POST http://127.0.0.1:8770/resource/counter \
-H "Authorization: Bearer $TOKEN"
Logout/invalidate:
curl -sS -X POST http://127.0.0.1:8770/session/logout \
-H "Authorization: Bearer $TOKEN"
Re-check after logout (should fail with 401):
curl -i -X POST http://127.0.0.1:8770/resource/counter \
-H "Authorization: Bearer $TOKEN"
Current Limitation
- This uses card-presence probing, not a full WebAuthn assertion verification path.
- Intended as a Phase 5 starter for session semantics and proxy/server behavior.