We’re trying to return to clients essentially an expiration / TTL value of the session, so we have an endpoint for this which grabs a couple of things:
[Authenticate]
public async Task<CustomUserSession> Get(GetTtl dto) {
var ttl = await Request.GetSessionTimeToLiveAsync();
//...
var userSession = SessionAs<CustomAuthUserSession>();
//... do things
}
But sometimes ttl / userSession are null, generating 500 errors. Shouldn’t the [Authenticate] attribute block against entering into this method if the session is expired / non-existent?
If you’re using IdentityAuth you should be using [ValidateIsAuthenticated] on the Request DTO (e.g. GetTtl) instead which is also the preferred method to annotate an API requires Authentication for all ServiceStack Hosts.
I’d recommend it for all ServiceStack Apps, as it’s declarative, decoupled from a specific implementation and lets client Applications know which APIs are authenticated.
Action Filters (i.e. Request Filters on method implementations) are rare, it executes the same implementation but it differs on where it’s executed in the Request Pipeline. I’d recommend using [ValidateIsAuthenticated] for APIs requiring Auth instead.
Can you try to switch to [ValidateIsAuthenticated] on GetTtl DTO to see if it makes a difference? if it doesn’t please provide the full StackTrace. Also what Memory Cache implementation are you using?
Is this a rare occurrence? If you’re using a distributed caching provider than a race condition is more possible where the session exists when the Request is validated but was removed before rechecking the session TTL.