Support additional session user info

[andriygm]

Currently, we have two fields we can access for current authenticated user info:

• session$user
• session$groups

This is somewhat limiting as it prevents us from passing additional custom parameters like full name, username/ID, email, etc in contexts like proxies. We should support setting an additional object session$userInfo or similar by the Shiny-Server-Credentials JSON object set during the websocket request. We could consider deprecating user and groups in favor of the proposed userInfo object with mandatory user and groups fields, but could also keep both for posterity/compatibility.

[gadenbuie]

Is this a feature request for Shiny or for Shiny Server?

I'm a little thrown off by the tense and subject of "We should support setting an additional object...". Do you mean "Shiny should..." or "We'd like to have..."? It might be helpful to reword your issue to clarify.

If you have access to this information and if you're looking for a place to store it in the session object, you can put it in session$userData.

[andriygm]

@gadenbuie apologies for the vagueness in the request -- basically looking at this chunk in shiny.R:

shiny/R/shiny.R

Lines 767 to 773 in 50a140c

	if (!is.null(websocket$request$HTTP_SHINY_SERVER_CREDENTIALS)) {
	try({
	creds <- safeFromJSON(websocket$request$HTTP_SHINY_SERVER_CREDENTIALS)
	self$user <- creds$user
	self$groups <- creds$groups
	}, silent=FALSE)
	}

which I believe is being utilized by at least Posit Connect (documented here) to pass the authenticated user into the session.

I believe the wording I want is "Shiny should..." since this doesn't necessary require Posit Connect to change its implementation. Rather, we'd like to be able to set session variables outside of the R context itself, instead from the WebSocket request to the worker as an additional header (currently possible via Shiny-Server-Credentials with limitations as described above). Please let me know if I can clarify further here.

[gadenbuie]

To summarize, you'd like to be able to pass session data to R via a WebSocket header and have it end up in a known location. Does that sound right? Would it also work for you to use headers on the initial HTTP request?

[andriygm]

That's correct yes, and we can definitely set on initial HTTP request, whatever is preferred.