[FR] return html meta tags for users/session-info action

[leevigraham]

Currently the users/session-info endpoint only accepts json:

public function actionSessionInfo(): Response
    {
        $this->requireAcceptsJson();

        $userSession = Craft::$app->getUser();
        /** @var User|null $user */
        $user = $userSession->getIdentity();

        $return = [
            'isGuest' => $user === null,
            'timeout' => $userSession->getRemainingSessionTime(),
        ];

        if (Craft::$app->getConfig()->getGeneral()->enableCsrfProtection) {
            $return['csrfTokenName'] = Craft::$app->getConfig()->getGeneral()->csrfTokenName;
            $return['csrfTokenValue'] = $this->request->getCsrfToken();
        }

        if ($user !== null) {
            $return['id'] = $user->id;
            $return['uid'] = $user->uid;
            $return['username'] = $user->username;
            $return['email'] = $user->email;
        }

        return $this->asJson($return);
    }

I have an alternative implementation in my own controller that adds a few extra properties.

While reading this comment: #15427 (reply in thread) @timkelty points out that I could add those extra properties via an event.

However my implementation also returns html <meta> tags if the accept content header is not application/json.

Why? Well I use nginx server side includes to inject the meta in statically cached pages for an instant load without the additional fetch request.

Here's my version:

public function actionSessionInfo(): Response
    {
        $userSession = Craft::$app->getUser();
        /** @var User|null $user */
        $user = $userSession->getIdentity();
        $sessionInfo = [
            'user' => $user ? [
                'id' => $user->id,
                'uid' => $user->uid,
                'username' => $user->username,
                'name' => $user->name,
                'friendlyName' => $user->friendlyName,
                'email' => $user->email,
                'canAccessCp' => $userSession->checkPermission('accessCp'),
            ] : null,
            'timeout' => $userSession->getRemainingSessionTime(),
            'csrf' => Craft::$app->getConfig()->getGeneral()->enableCsrfProtection ? [
                'tokenName' => Craft::$app->getConfig()->getGeneral()->csrfTokenName,
                'tokenValue' => Craft::$app->getRequest()->getCsrfToken(),
            ] : null,
            'userAccountNavHtml' => Craft::$app->view->renderTemplate('_components/UserAccountNav/UserAccountNav.twig', [
                'user' => $user
            ])
        ];

        if($this->request->getAcceptsJson()) {
            return $this->asJson($sessionInfo);
        }

        $response = Html::csrfMetaTags();
        $response .= Html::tag('meta', '', [
            'name' => 'user-session-info',
            'content' => json_encode($sessionInfo),
        ]);

        $this->response->content = $response;
        return $this->response;
    }

Would a PR be considered that returned <meta> tags in the case of a HTML request?

[timkelty]

@leevigraham I like that idea! The same could be done via ESIs, which Craft Cloud supports.

It feels a little odd to repurpose the users/session-info action though? I might prefer a dedicated endpoint…
Anyway, let me discuss with the team!

[leevigraham]

The only reason I thought of repurposing that action is it already has all the user logic. As you pointed out you can also extend it with extra data in an event.

Having a single controller method might be easier for documentation and maintenance.

Additionally as I demonstrated in discord sometimes I load the content via a html tag, but I also have the option in my js to hit the same endpoint and force updated my internal js user state.

[timkelty]

Does make me wonder though…if you already have SSIs – why not just inject the CSRF input directly via SSI, rather than dealing with the additional JS of decoding the meta header and submitting via js?

[leevigraham]

For anyone seeing this in the future the short answer is to avoid multiple requests to craft for each SSI tag.

I have dynamic islands of html for user nav, csrf tag(s), CP edit links etc.