add optional redis for backend storage

Author: olamilekan000

backend/auth/handler.go

@@ -118,7 +118,7 @@ func (ah *AuthHandler) HandleAuthorize(w http.ResponseWriter, r *http.Request) {
 		ah.respondWithError(w, authReq.ClientType, "failed to generate PKCE", http.StatusInternalServerError)
 		return
 	}
-	if err := ah.sessionStore.SavePKCEVerifier(authReq.SessionID, verifier); err != nil {
+	if err := ah.sessionStore.SavePKCEVerifier(r.Context(), authReq.SessionID, verifier); err != nil {
 		logger.Error(err, "failed to store PKCE verifier")
 		ah.respondWithError(w, authReq.ClientType, "failed to store PKCE verifier", http.StatusInternalServerError)
 		return
@@ -194,7 +194,7 @@ func (ah *AuthHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {
 		ctx = context.WithValue(ctx, oauth2.HTTPClient, client)
 	}
 
-	verifier, err := ah.sessionStore.LoadAndDeletePKCEVerifier(authCode.SessionID)
+	verifier, err := ah.sessionStore.LoadAndDeletePKCEVerifier(r.Context(), authCode.SessionID)
 	if err != nil || verifier == "" {
 		logger.Error(err, "PKCE verifier not found for session; cannot exchange code", "sessionID", authCode.SessionID)
 		msg := "PKCE verifier not found. If you run multiple backend instances, use a shared session store (e.g. Redis) so the instance handling the callback can read the verifier stored at authorize time."
@@ -217,7 +217,7 @@ func (ah *AuthHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// Set session expiration and store in middleware
-	err = ah.sessionStore.Save(sessionState)
+	err = ah.sessionStore.Save(r.Context(), sessionState)
 	if err != nil {
 		logger.Error(err, "failed to save session state")
 		http.Error(w, "internal error", http.StatusInternalServerError)

backend/auth/middleware.go

@@ -182,7 +182,7 @@ func (am *AuthMiddleware) verifyState(next http.Handler) http.Handler {
 			return
 		}
 
-		if !am.isValidSession(state.SessionID) {
+		if !am.isValidSession(r.Context(), state.SessionID) {
 			logger.V(2).Info("Session expired or invalid", "sessionID", state.SessionID)
 			writeErrorResponse(w, http.StatusUnauthorized, kubebindv1alpha2.ErrorCodeAuthenticationFailed, "Authentication required", "Session has expired or is invalid")
 			return
@@ -197,8 +197,8 @@ func (am *AuthMiddleware) verifyState(next http.Handler) http.Handler {
 }
 
 // isValidSession checks if a session ID exists and hasn't expired
-func (am *AuthMiddleware) isValidSession(sessionID string) bool {
-	sessionInfo, err := am.sessionStore.Load(sessionID)
+func (am *AuthMiddleware) isValidSession(ctx context.Context, sessionID string) bool {
+	sessionInfo, err := am.sessionStore.Load(ctx, sessionID)
 	if err != nil {
 		return false
 	}

backend/http/handler.go

@@ -112,15 +112,14 @@ func NewHandler(
 	mgr *kubernetes.Manager,
 	frontend string,
 	tokenExpiry time.Duration,
+	sessionStore session.Store,
 ) (*handler, error) {
 	// Create JWT service for CLI authentication
 	jwtService, err := auth.NewJWTService("kube-bind-backend")
 	if err != nil {
 		return nil, fmt.Errorf("failed to create JWT service: %w", err)
 	}
 
-	sessionStore := session.NewInMemoryStore()
-
 	// Create auth middleware for request authentication
 	authMiddleware := auth.NewAuthMiddleware(jwtService, cookieSigningKey, cookieEncryptionKey, mgr, sessionStore)
 

backend/options/options.go

@@ -33,10 +33,11 @@ import (
 )
 
 type Options struct {
-	Logs   *logs.Options
-	OIDC   *OIDC
-	Cookie *Cookie
-	Serve  *Serve
+	Logs    *logs.Options
+	OIDC    *OIDC
+	Cookie  *Cookie
+	Serve   *Serve
+	Session *Session
 
 	ProviderKcp *providerkcp.Options
 
@@ -81,10 +82,11 @@ type ExtraOptions struct {
 }
 
 type completedOptions struct {
-	Logs   *logs.Options
-	OIDC   *OIDC
-	Cookie *Cookie
-	Serve  *Serve
+	Logs    *logs.Options
+	OIDC    *OIDC
+	Cookie  *Cookie
+	Serve   *Serve
+	Session *Session
 
 	// Provider specific options
 	ProviderKcp *providerkcp.CompletedOptions
@@ -106,6 +108,7 @@ func NewOptions() *Options {
 		OIDC:        NewOIDC(),
 		Cookie:      NewCookie(),
 		Serve:       NewServe(),
+		Session:     NewSession(),
 		ProviderKcp: providerkcp.NewOptions(),
 
 		ExtraOptions: ExtraOptions{
@@ -155,6 +158,7 @@ func (options *Options) AddFlags(fs *pflag.FlagSet) {
 	options.OIDC.AddFlags(fs)
 	options.Cookie.AddFlags(fs)
 	options.Serve.AddFlags(fs)
+	options.Session.AddFlags(fs)
 	options.ProviderKcp.AddFlags(fs)
 
 	fs.StringVar(&options.KubeConfig, "kubeconfig", options.KubeConfig, "path to a kubeconfig. Only required if out-of-cluster")
@@ -207,6 +211,9 @@ func (options *Options) Complete() (*CompletedOptions, error) {
 		if err := options.Cookie.Complete(); err != nil {
 			return nil, err
 		}
+		if err := options.Session.Complete(); err != nil {
+			return nil, err
+		}
 	}
 
 	// normalize the scope and the isolation
@@ -243,6 +250,7 @@ func (options *Options) Complete() (*CompletedOptions, error) {
 			OIDC:         options.OIDC,
 			Cookie:       options.Cookie,
 			Serve:        options.Serve,
+			Session:      options.Session,
 			ExtraOptions: options.ExtraOptions,
 		},
 	}
@@ -276,6 +284,9 @@ func (options *CompletedOptions) Validate() error {
 		if err := options.Cookie.Validate(); err != nil {
 			return err
 		}
+		if err := options.Session.Validate(); err != nil {
+			return err
+		}
 	}
 
 	if options.ConsumerScope != string(kubebindv1alpha2.NamespacedScope) && options.ConsumerScope != string(kubebindv1alpha2.ClusterScope) {

backend/options/session.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2026 The Kube Bind Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"github.com/spf13/pflag"
+
+	redisoptions "github.com/kube-bind/kube-bind/backend/options/session/redis"
+)
+
+type Session struct {
+	Redis *redisoptions.Options
+}
+
+func NewSession() *Session {
+	return &Session{
+		Redis: redisoptions.NewOptions(),
+	}
+}
+
+func (options *Session) AddFlags(fs *pflag.FlagSet) {
+	options.Redis.AddFlags(fs)
+}
+
+func (options *Session) Complete() error {
+	return nil
+}
+
+func (options *Session) Validate() error {
+	return options.Redis.Validate()
+}

backend/options/session/redis/options.go

@@ -0,0 +1,43 @@
+/*
+Copyright 2026 The Kube Bind Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package redis
+
+import (
+	"fmt"
+
+	"github.com/spf13/pflag"
+)
+
+type Options struct {
+	Address  string
+	Password string
+}
+
+func NewOptions() *Options {
+	return &Options{}
+}
+
+func (options *Options) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&options.Address, "redis-addr", options.Address, "The redis address (e.g. localhost:6379) to connect to if storing sessions in Redis. If empty, the in-memory provider is used.")
+	fs.StringVar(&options.Password, "redis-password", options.Password, "The connection password to use if storing sessions in Redis.")
+}
+func (options *Options) Validate() error {
+	if options.Password != "" && options.Address == "" {
+		return fmt.Errorf("redis-addr must be specified when using redis-password")
+	}
+	return nil
+}

backend/server.go

@@ -38,6 +38,8 @@ import (
 	"github.com/kube-bind/kube-bind/backend/controllers/servicenamespace"
 	http "github.com/kube-bind/kube-bind/backend/http"
 	kube "github.com/kube-bind/kube-bind/backend/kubernetes"
+	"github.com/kube-bind/kube-bind/backend/session/memory"
+	"github.com/kube-bind/kube-bind/backend/session/redis"
 	kubebindv1alpha2 "github.com/kube-bind/kube-bind/sdk/apis/kubebind/v1alpha2"
 )
 
@@ -126,6 +128,11 @@ func NewServer(ctx context.Context, c *Config) (*Server, error) {
 			}
 		}
 
+		sessionStore := memory.NewInMemoryStore()
+		if c.Options.Session.Redis.Address != "" || c.Options.Session.Redis.Password != "" {
+			sessionStore = redis.New(c.Options.Session.Redis.Address, c.Options.Session.Redis.Password)
+		}
+
 		handler, err := http.NewHandler(
 			s,
 			s.Config.Options.OIDC.OIDCServer,
@@ -140,6 +147,7 @@ func NewServer(ctx context.Context, c *Config) (*Server, error) {
 			s.Kubernetes,
 			c.Options.Frontend,
 			c.Options.TokenExpiry,
+			sessionStore,
 		)
 		if err != nil {
 			return nil, fmt.Errorf("error setting up HTTP Handler: %w", err)

backend/session/store.go backend/session/memory/memory.gobackend/session/store.go renamed to backend/session/memory/memory.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2025 The Kube Bind Authors.
+Copyright 2026 The Kube Bind Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,63 +14,54 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package session
+package memory
 
 import (
+	"context"
 	"errors"
-	"fmt"
 	"sync"
-)
-
-var ErrSessionNotFound = fmt.Errorf("session not found")
-var ErrPKCEVerifierNotFound = fmt.Errorf("pkce verifier not found")
 
-type Store interface {
-	Save(state *State) error
-	Load(sessionID string) (*State, error)
-	Delete(sessionID string) error
-	SavePKCEVerifier(sessionID, verifier string) error
-	LoadAndDeletePKCEVerifier(sessionID string) (string, error)
-}
+	"github.com/kube-bind/kube-bind/backend/session"
+)
 
 type InMemoryStore struct {
 	lock          sync.RWMutex
-	sessions      map[string]*State
+	sessions      map[string]*session.State
 	pkceVerifiers map[string]string
 }
 
-func NewInMemoryStore() *InMemoryStore {
+func NewInMemoryStore() session.Store {
 	return &InMemoryStore{
-		sessions:      make(map[string]*State),
+		sessions:      make(map[string]*session.State),
 		pkceVerifiers: make(map[string]string),
 	}
 }
 
-func (s *InMemoryStore) Save(state *State) error {
+func (s *InMemoryStore) Save(ctx context.Context, state *session.State) error {
 	s.lock.Lock()
 	defer s.lock.Unlock()
 	s.sessions[state.SessionID] = state
 	return nil
 }
 
-func (s *InMemoryStore) Load(sessionID string) (*State, error) {
+func (s *InMemoryStore) Load(ctx context.Context, sessionID string) (*session.State, error) {
 	s.lock.RLock()
 	defer s.lock.RUnlock()
 	state, exists := s.sessions[sessionID]
 	if !exists {
-		return nil, ErrSessionNotFound
+		return nil, session.ErrSessionNotFound
 	}
 	return state, nil
 }
 
-func (s *InMemoryStore) Delete(sessionID string) error {
+func (s *InMemoryStore) Delete(ctx context.Context, sessionID string) error {
 	s.lock.Lock()
 	defer s.lock.Unlock()
 	delete(s.sessions, sessionID)
 	return nil
 }
 
-func (s *InMemoryStore) SavePKCEVerifier(sessionID, verifier string) error {
+func (s *InMemoryStore) SavePKCEVerifier(ctx context.Context, sessionID, verifier string) error {
 	if sessionID == "" || verifier == "" {
 		return errors.New("sessionID and verifier cannot be empty")
 	}
@@ -80,15 +71,15 @@ func (s *InMemoryStore) SavePKCEVerifier(sessionID, verifier string) error {
 	return nil
 }
 
-func (s *InMemoryStore) LoadAndDeletePKCEVerifier(sessionID string) (string, error) {
+func (s *InMemoryStore) LoadAndDeletePKCEVerifier(ctx context.Context, sessionID string) (string, error) {
 	if sessionID == "" {
-		return "", ErrPKCEVerifierNotFound
+		return "", session.ErrPKCEVerifierNotFound
 	}
 	s.lock.Lock()
 	defer s.lock.Unlock()
 	verifier, ok := s.pkceVerifiers[sessionID]
 	if !ok {
-		return "", ErrPKCEVerifierNotFound
+		return "", session.ErrPKCEVerifierNotFound
 	}
 	delete(s.pkceVerifiers, sessionID)
 	return verifier, nil

backend/session/provider.go

@@ -0,0 +1,33 @@
+/*
+Copyright 2026 The Kube Bind Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package session
+
+import (
+	"context"
+	"fmt"
+)
+
+var ErrSessionNotFound = fmt.Errorf("session not found")
+var ErrPKCEVerifierNotFound = fmt.Errorf("pkce verifier not found")
+
+type Store interface {
+	Save(ctx context.Context, state *State) error
+	Load(ctx context.Context, sessionID string) (*State, error)
+	Delete(ctx context.Context, sessionID string) error
+	SavePKCEVerifier(ctx context.Context, sessionID, verifier string) error
+	LoadAndDeletePKCEVerifier(ctx context.Context, sessionID string) (string, error)
+}