refactor(auth): replace reflection with interface+registry pattern for session store

- Add QSessionStoreProviderInterface in core for providers to implement
- Add QSessionStoreRegistry singleton for providers to register on startup
- Refactor QSessionStoreHelper to use registry instead of reflection
- Add loadAndTouchSession() for combined load+touch operation
- Update OAuth2AuthenticationModule to use loadAndTouchSession()

Author: KofTwentyTwo

qqq-backend-core/src/main/java/com/kingsrook/qqq/backend/core/modules/authentication/QSessionStoreHelper.java

@@ -22,7 +22,6 @@
 package com.kingsrook.qqq.backend.core.modules.authentication;
 
 
-import java.lang.reflect.Method;
 import java.time.Duration;
 import java.util.Optional;
 import com.kingsrook.qqq.backend.core.logging.QLogger;
@@ -31,63 +30,45 @@
 
 
 /*******************************************************************************
- ** Helper class for optionally interacting with the QSessionStore QBit.
+ ** Helper class for interacting with the session store.
  **
- ** Uses reflection to avoid a hard dependency on the qbit-session-store module.
- ** All methods are designed to fail silently (returning empty/default values)
- ** when the QBit is not on the classpath, ensuring backwards compatibility.
+ ** Delegates to the provider registered with QSessionStoreRegistry. All methods
+ ** are designed to fail silently (returning empty/default values) when no
+ ** provider is registered, ensuring backwards compatibility.
  *******************************************************************************/
 public class QSessionStoreHelper
 {
    private static final QLogger LOG = QLogger.getLogger(QSessionStoreHelper.class);
 
-   private static final String CONTEXT_CLASS = "com.kingsrook.qbits.sessionstore.QSessionStoreQBitContext";
-
-   private static Boolean sessionStoreAvailable = null;
+   private static final Duration DEFAULT_TTL = Duration.ofHours(1);
 
 
 
    /***************************************************************************
-    ** Check if the session store QBit is available on the classpath.
+    ** Check if a session store provider is available.
     ***************************************************************************/
    public static boolean isSessionStoreAvailable()
    {
-      if(sessionStoreAvailable == null)
-      {
-         try
-         {
-            Class.forName(CONTEXT_CLASS);
-            sessionStoreAvailable = true;
-         }
-         catch(ClassNotFoundException e)
-         {
-            sessionStoreAvailable = false;
-         }
-      }
-      return sessionStoreAvailable;
+      return QSessionStoreRegistry.getInstance().isAvailable();
    }
 
 
 
    /***************************************************************************
-    ** Store a session in the session store (if available and configured).
+    ** Store a session in the session store (if available).
     ***************************************************************************/
    public static void storeSession(String sessionUuid, QSession session, Duration ttl)
    {
-      if(!isSessionStoreAvailable())
+      Optional<QSessionStoreProviderInterface> provider = QSessionStoreRegistry.getInstance().getProvider();
+      if(provider.isEmpty())
       {
          return;
       }
 
       try
       {
-         Object provider = getProvider();
-         if(provider != null)
-         {
-            Method storeMethod = provider.getClass().getMethod("store", String.class, QSession.class, Duration.class);
-            storeMethod.invoke(provider, sessionUuid, session, ttl);
-            LOG.debug("Stored session in session store", logPair("sessionUuid", sessionUuid));
-         }
+         provider.get().store(sessionUuid, session, ttl);
+         LOG.debug("Stored session in session store", logPair("sessionUuid", sessionUuid));
       }
       catch(Exception e)
       {
@@ -98,29 +79,24 @@ public static void storeSession(String sessionUuid, QSession session, Duration t
 
 
    /***************************************************************************
-    ** Load a session from the session store (if available and configured).
+    ** Load a session from the session store (if available).
     ***************************************************************************/
-   @SuppressWarnings("unchecked")
    public static Optional<QSession> loadSession(String sessionUuid)
    {
-      if(!isSessionStoreAvailable())
+      Optional<QSessionStoreProviderInterface> provider = QSessionStoreRegistry.getInstance().getProvider();
+      if(provider.isEmpty())
       {
          return Optional.empty();
       }
 
       try
       {
-         Object provider = getProvider();
-         if(provider != null)
+         Optional<QSession> result = provider.get().load(sessionUuid);
+         if(result.isPresent())
          {
-            Method loadMethod = provider.getClass().getMethod("load", String.class);
-            Optional<QSession> result = (Optional<QSession>) loadMethod.invoke(provider, sessionUuid);
-            if(result.isPresent())
-            {
-               LOG.debug("Loaded session from session store", logPair("sessionUuid", sessionUuid));
-            }
-            return result;
+            LOG.debug("Loaded session from session store", logPair("sessionUuid", sessionUuid));
          }
+         return result;
       }
       catch(Exception e)
       {
@@ -133,72 +109,83 @@ public static Optional<QSession> loadSession(String sessionUuid)
 
 
    /***************************************************************************
-    ** Touch a session to reset its TTL (if available and configured).
+    ** Load a session and touch it to reset its TTL in a single operation.
+    **
+    ** This is more efficient than calling loadSession + touchSession separately,
+    ** as providers may implement optimized single-call versions (e.g., Redis
+    ** GETEX, combined SQL query).
     ***************************************************************************/
-   public static void touchSession(String sessionUuid)
+   public static Optional<QSession> loadAndTouchSession(String sessionUuid)
    {
-      if(!isSessionStoreAvailable())
+      Optional<QSessionStoreProviderInterface> provider = QSessionStoreRegistry.getInstance().getProvider();
+      if(provider.isEmpty())
       {
-         return;
+         return Optional.empty();
       }
 
       try
       {
-         Object provider = getProvider();
-         if(provider != null)
+         Optional<QSession> result = provider.get().loadAndTouch(sessionUuid);
+         if(result.isPresent())
          {
-            Method touchMethod = provider.getClass().getMethod("touch", String.class);
-            touchMethod.invoke(provider, sessionUuid);
+            LOG.debug("Loaded and touched session from session store", logPair("sessionUuid", sessionUuid));
          }
+         return result;
       }
       catch(Exception e)
       {
-         LOG.warn("Failed to touch session in session store", e, logPair("sessionUuid", sessionUuid));
+         LOG.warn("Failed to load and touch session in session store", e, logPair("sessionUuid", sessionUuid));
       }
+
+      return Optional.empty();
    }
 
 
 
    /***************************************************************************
-    ** Get the configured default TTL from the session store config.
+    ** Touch a session to reset its TTL (if available).
     ***************************************************************************/
-   public static Duration getDefaultTtl()
+   public static void touchSession(String sessionUuid)
    {
-      if(!isSessionStoreAvailable())
+      Optional<QSessionStoreProviderInterface> provider = QSessionStoreRegistry.getInstance().getProvider();
+      if(provider.isEmpty())
       {
-         return Duration.ofHours(1);
+         return;
       }
 
       try
       {
-         Class<?> contextClass = Class.forName(CONTEXT_CLASS);
-         Method getConfigMethod = contextClass.getMethod("getConfig");
-         Object config = getConfigMethod.invoke(null);
-
-         if(config != null)
-         {
-            Method getTtlMethod = config.getClass().getMethod("getDefaultTtl");
-            return (Duration) getTtlMethod.invoke(config);
-         }
+         provider.get().touch(sessionUuid);
       }
       catch(Exception e)
       {
-         LOG.debug("Failed to get default TTL from session store config", e);
+         LOG.warn("Failed to touch session in session store", e, logPair("sessionUuid", sessionUuid));
       }
-
-      return Duration.ofHours(1);
    }
 
 
 
    /***************************************************************************
-    ** Get the provider instance from the context class.
+    ** Get the configured default TTL from the session store provider.
     ***************************************************************************/
-   private static Object getProvider() throws Exception
+   public static Duration getDefaultTtl()
    {
-      Class<?> contextClass = Class.forName(CONTEXT_CLASS);
-      Method getProviderMethod = contextClass.getMethod("getProvider");
-      return getProviderMethod.invoke(null);
+      Optional<QSessionStoreProviderInterface> provider = QSessionStoreRegistry.getInstance().getProvider();
+      if(provider.isEmpty())
+      {
+         return DEFAULT_TTL;
+      }
+
+      try
+      {
+         return provider.get().getDefaultTtl();
+      }
+      catch(Exception e)
+      {
+         LOG.debug("Failed to get default TTL from session store provider", e);
+      }
+
+      return DEFAULT_TTL;
    }
 
 }

qqq-backend-core/src/main/java/com/kingsrook/qqq/backend/core/modules/authentication/QSessionStoreProviderInterface.java

@@ -0,0 +1,104 @@
+/*
+ * QQQ - Low-code Application Framework for Engineers.
+ * Copyright (C) 2021-2025.  Kingsrook, LLC
+ * 651 N Broad St Ste 205 # 6917 | Middletown DE 19709 | United States
+ * contact@kingsrook.com
+ * https://github.com/Kingsrook/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package com.kingsrook.qqq.backend.core.modules.authentication;
+
+
+import java.time.Duration;
+import java.util.Optional;
+import com.kingsrook.qqq.backend.core.model.session.QSession;
+
+
+/*******************************************************************************
+ ** Interface for session storage providers.
+ **
+ ** QBits or application code can implement this interface to provide session
+ ** persistence. Implementations register themselves with QSessionStoreRegistry
+ ** on startup, and QQQ core uses the registered provider for session caching.
+ **
+ ** Example providers:
+ ** - InMemory: ConcurrentHashMap for dev/testing
+ ** - TableBased: QQQ table storage for multi-instance persistence
+ ** - Redis: Distributed caching for HA deployments
+ *******************************************************************************/
+public interface QSessionStoreProviderInterface
+{
+
+   /***************************************************************************
+    ** Store a session with the given TTL.
+    **
+    ** @param sessionUuid Unique identifier for the session
+    ** @param session The session to store
+    ** @param ttl Time-to-live for the session
+    ***************************************************************************/
+   void store(String sessionUuid, QSession session, Duration ttl);
+
+
+   /***************************************************************************
+    ** Load a session by UUID.
+    **
+    ** @param sessionUuid Unique identifier for the session
+    ** @return Optional containing the session if found and not expired
+    ***************************************************************************/
+   Optional<QSession> load(String sessionUuid);
+
+
+   /***************************************************************************
+    ** Remove a session by UUID.
+    **
+    ** @param sessionUuid Unique identifier for the session to remove
+    ***************************************************************************/
+   void remove(String sessionUuid);
+
+
+   /***************************************************************************
+    ** Touch a session to reset its TTL (sliding expiration).
+    **
+    ** @param sessionUuid Unique identifier for the session to touch
+    ***************************************************************************/
+   void touch(String sessionUuid);
+
+
+   /***************************************************************************
+    ** Get the default TTL for sessions.
+    **
+    ** @return The default time-to-live duration
+    ***************************************************************************/
+   Duration getDefaultTtl();
+
+
+   /***************************************************************************
+    ** Load a session and touch it to reset its TTL in a single operation.
+    **
+    ** Default implementation calls load() then touch(). Providers may override
+    ** with optimized implementations (e.g., Redis GETEX, combined SQL query).
+    **
+    ** @param sessionUuid Unique identifier for the session
+    ** @return Optional containing the session if found and not expired
+    ***************************************************************************/
+   default Optional<QSession> loadAndTouch(String sessionUuid)
+   {
+      Optional<QSession> session = load(sessionUuid);
+      session.ifPresent(s -> touch(sessionUuid));
+      return session;
+   }
+
+}