chore: drop unimplemented BFF session config (out of scope)#38
Conversation
BFF (cookie-based sessions, server-side token storage, refresh) is stateful session-lifecycle management: a separate product (oauth2-proxy, Pomerium), not a transcoding data plane. A server-side session store would also break the stateless multi-instance design. This proxy already covers the stateless auth surface that belongs here (JWT, forward-auth, ext_authz, OIDC discovery). Remove the never-wired BffConfig and its field, drop the BFF-specific OpenAPI cookie security scheme, and document session/BFF as a non-goal. Closes #37
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
💤 Files with no reviewable changes (4)
📝 WalkthroughSummary by CodeRabbit
WalkthroughRemoves the unimplemented ChangesBFF Session Config Removal
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
| Filename | Overview |
|---|---|
| src/config.rs | Removes the unimplemented BffConfig struct, its three default helpers, and the bff field from AuthConfig — pure dead-code deletion with no behaviour change. |
| src/auth/mod.rs | Drops two bff: None stubs from test config literals to match the removed struct field; no logic change. |
| src/auth/forward.rs | Drops one bff: None stub from a test config literal; no logic change. |
| src/openapi.rs | Removes the cookieAuth security scheme entry from the generated OpenAPI spec; it was never referenced by any operation object so the output schema is unchanged in practice. |
| README.md | Replaces the "Roadmap" section (single BFF bullet) with a "Non-goals" note that explains the stateless design rationale and points to alternatives. |
Reviews (1): Last reviewed commit: "chore: drop unimplemented BFF session co..." | Re-trigger Greptile
Summary
Removes the never-implemented
BffConfig. On reflection, BFF does not belong in this crate: it is stateful session / token-lifecycle management (a separate product category, e.g.oauth2-proxy/ Pomerium), whereas this proxy is a stateless transcoding data plane with stateless auth primitives. A server-side session / token store would also break the multi-instance-stateless design.The auth surface that genuinely belongs here is already covered and stateless: JWT validation, forward-auth, external AuthZ (ext_authz), and OIDC discovery.
Changes
BffConfig, theauth.bfffield, and its default helpers.cookieAuthOpenAPI security scheme (it was defined for the BFF login flow and never referenced; the proxy authenticates via bearer JWT).bff: Nonestubs from auth test configs.No behavior change: the field was never wired into the request path.
Testing
cargo nextest run --features redis: 119 passed. clippy (all-features) + fmt clean.Closes #37