core: migrate all sessions to the database

authentik/blueprints/v1/importer.py

@@ -36,6 +36,7 @@
     GroupSourceConnection,
     PropertyMapping,
     Provider,
+    Session,
     Source,
     User,
     UserSourceConnection,
@@ -107,6 +108,7 @@ def excluded_models() -> list[type[Model]]:
         Policy,
         PolicyBindingModel,
         # Classes that have other dependencies
+        Session,
         AuthenticatedSession,
         # Classes which are only internally managed
         # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin

authentik/core/auth.py

@@ -24,6 +24,15 @@ def authenticate(
         self.set_method("password", request)
         return user
 
+    async def aauthenticate(
+        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
+    ) -> User | None:
+        user = await super().aauthenticate(request, username=username, password=password, **kwargs)
+        if not user:
+            return None
+        self.set_method("password", request)
+        return user
+
     def set_method(self, method: str, request: HttpRequest | None, **kwargs):
         """Set method data on current flow, if possbiel"""
         if not request:

authentik/core/management/commands/clearsessions.py

@@ -0,0 +1,11 @@
+"""Change user type"""
+
+from authentik.core.models import Session
+from authentik.tenants.management import TenantCommand
+
+
+class Command(TenantCommand):
+    """Delete all sessions"""
+
+    def handle_per_tenant(self, **options):
+        Session.objects.all().delete()

authentik/core/migrations/0043_session_and_more.py

@@ -0,0 +1,198 @@
+# Generated by Django 5.0.11 on 2025-01-27 12:58
+
+import uuid
+import pickle
+import authentik.core.models
+from django.db import migrations, models
+import authentik.core.models
+import django.db.models.deletion
+from django.conf import settings
+from django.contrib.sessions.backends.cache import KEY_PREFIX
+from django.utils.timezone import now, timedelta
+from authentik.lib.migrations import progress_bar
+from uuid import uuid4
+
+
+SESSION_CACHE_ALIAS = "default"
+
+
+def migrate_redis_sessions(apps, schema_editor):
+    from django.core.cache import caches
+
+    Session = apps.get_model("authentik_core", "Session")
+    db_alias = schema_editor.connection.alias
+    cache = caches[SESSION_CACHE_ALIAS]
+    # Not a redis cache, skipping
+    if not hasattr(cache, "keys"):
+        return
+    print("\nMigration Redis sessions to database, this might take a couple of minutes...")
+    Session.objects.using(db_alias).bulk_create([
+        Session(
+            session_key=key.removeprefix(KEY_PREFIX),
+            session_data=pickle.dumps(session_data, pickle.HIGHEST_PROTOCOL),
+            expires=now() + timedelta(seconds=cache.ttl(key)),
+        )
+        for key, session_data in progress_bar(cache.get_many(cache.keys(f"{KEY_PREFIX}*")).items())
+    ])
+
+
+def migrate_database_sessions(apps, schema_editor):
+    DjangoSession = apps.get_model("sessions", "Session")
+    Session = apps.get_model("authentik_core", "Session")
+    db_alias = schema_editor.connection.alias
+
+    print("\nMigration database sessions, this might take a couple of minutes...")
+    sessions_to_create = []
+    batch = 0
+    for django_session in progress_bar(DjangoSession.objects.using(db_alias).all()):
+        sessions_to_create.append(
+            Session(
+                uuid=uuid4(),
+                session_key=django_session.session_key,
+                session_data=django_session.session_data,
+                expires=django_session.expire_date,
+            )
+        )
+        batch += 1
+        if batch >= 500:
+            Session.objects.using(db_alias).bulk_create(sessions_to_create)
+            sessions_to_create = []
+            batch = 0
+    Session.objects.using(db_alias).bulk_create(sessions_to_create)
+
+
+def migrate_authenticated_sessions(apps, schema_editor):
+    OldAuthenticatedSession = apps.get_model("authentik_core", "OldAuthenticatedSession")
+    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
+    Session = apps.get_model("authentik_core", "Session")
+    db_alias = schema_editor.connection.alias
+
+    print("\nMigration database sessions, this might take a couple of minutes...")
+    for old_session in progress_bar(OldAuthenticatedSession.objects.using(db_alias).all()):
+        AuthenticatedSession.objects.create(
+            session_ptr=Session.objects.get(session_key=old_session.session_key),
+            user=old_session.user,
+            last_ip=old_session.last_ip,
+            last_user_agent=old_session.last_user_agent,
+            last_used=old_session.last_used,
+        )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("sessions", "0001_initial"),
+        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
+    ]
+
+    operations = [
+        # Rename AuthenticatedSession to OldAuthenticatedSession
+        migrations.RenameModel(
+            old_name="AuthenticatedSession",
+            new_name="OldAuthenticatedSession",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expires_cf4f72_idx",
+            old_name="authentik_c_expires_08251d_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expirin_c1f17f_idx",
+            old_name="authentik_c_expirin_9cd839_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expirin_e04f5d_idx",
+            old_name="authentik_c_expirin_195a84_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_session_a44819_idx",
+            old_name="authentik_c_session_d0f005_idx",
+        ),
+        migrations.RunSQL(
+            "ALTER INDEX authentik_core_authenticatedsession_user_id_5055b6cf RENAME TO authentik_core_oldauthenticatedsession_user_id_5055b6cf",
+            "ALTER INDEX authentik_core_oldauthenticatedsession_user_id_5055b6cf RENAME TO authentik_core_authenticatedsession_user_id_5055b6cf",
+        ),
+        # Create new Session and AuthenticatedSession models
+        migrations.CreateModel(
+            name="Session",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                (
+                    "session_key",
+                    models.CharField(
+                        max_length=40, db_index=True, verbose_name="session key"
+                    ),
+                ),
+                ("session_data", models.TextField(verbose_name="session data")),
+                ("expires", models.DateTimeField(default=None, null=True)),
+                ("expiring", models.BooleanField(default=True)),
+            ],
+            options={
+                "verbose_name": "Session",
+                "verbose_name_plural": "Sessions",
+            },
+            managers=[
+                ("objects", authentik.core.models.SessionManager()),
+            ],
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(fields=["expires"], name="authentik_c_expires_d2f607_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(fields=["expiring"], name="authentik_c_expirin_7c2cfb_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_c_expirin_1ab2e4_idx"
+            ),
+        ),
+        migrations.CreateModel(
+            name="AuthenticatedSession",
+            fields=[
+                (
+                    "session_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.session",
+                    ),
+                ),
+                ("last_ip", models.TextField()),
+                ("last_user_agent", models.TextField(blank=True)),
+                ("last_used", models.DateTimeField(auto_now=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Authenticated Session",
+                "verbose_name_plural": "Authenticated Sessions",
+            },
+            bases=("authentik_core.session",),
+            managers=[
+                ("objects", authentik.core.models.SessionManager()),
+            ],
+        ),
+        migrations.RunPython(migrate_redis_sessions, migrations.RunPython.noop),
+        migrations.RunPython(migrate_database_sessions, migrations.RunPython.noop),
+        # migrations.RunPython(migrate_authenticated_sessions, migrations.RunPython.noop),
+    ]

authentik/core/migrations/0044_delete_oldauthenticatedsession.py

@@ -0,0 +1,37 @@
+# Generated by Django 5.0.11 on 2025-01-27 13:02
+
+from django.db import migrations
+from django.contrib.sessions.backends.cache import KEY_PREFIX
+
+
+def delete_redis_sessions(apps, schema_editor):
+    from django.core.cache import caches
+
+    cache = caches["default"]
+    # Not a redis cache, skipping
+    if not hasattr(cache, "keys"):
+        return
+    cache.delete_many(cache.keys(f"{KEY_PREFIX}*"))
+
+
+def delete_old_database_sessions(apps, schema_editor):
+    DjangoSession = apps.get_model("sessions", "Session")
+    db_alias = schema_editor.connection.alias
+    DjangoSession.objects.using(db_alias).all().delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0043_session_and_more"),
+        ("authentik_providers_rac", "0007_migrate_session"),
+        ("authentik_providers_oauth2", "0028_migrate_session"),
+    ]
+
+    operations = [
+        # migrations.DeleteModel(
+        #     name="OldAuthenticatedSession",
+        # ),
+        # migrations.RunPython(code=delete_redis_sessions),
+        # migrations.RunPython(code=delete_old_database_sessions),
+    ]