跳到主要内容

Session Recovery And Auth Update (2026-03-15)

This note is kept as a migration milestone record.

Current model

  • Server bootstrap uses Authorization: Bearer <serverBootstrapToken> only on POST /server/login.
  • Successful server login returns accessToken and expiresIn.
  • Runtime HTTP and WebSocket both authenticate with Authorization: Bearer <serverAccessToken>.
  • WebSocket no longer accepts serverSessionId query binding.
  • Player login returns accessToken, optional resumeToken, and TTL fields.
  • resume_session, player options sync, logout, upload, and chat all use player accessToken.
  • resumeToken is reserved for OFFLINE_REFRESH and local plugin-side caching in TokenStore.
  • Session IDs remain backend-internal Redis state and are no longer part of the public plugin protocol.

Operational behavior

  • /server/refresh rotates the current server accessToken.
  • WebSocket transient reconnect restores player runtime via resume_session.
  • Full server reauth rebuilds server/player sessions through /server/login and /player/login.
  • Plugin reload keeps locally cached resumeToken values, so players with continueEnabled can auto-resume after the plugin comes back up; a full JVM stop still clears that local cache.
  • /server/logout and /player/logout remain best-effort cleanup calls.

Source of truth

  • docs/http-api-specification.md
  • docs/authentication-flow.md
  • docs/websocket-protocol.md
  • docs/network-architecture.md