I am attempting to abstract the authorization/authentication from my upstream services into Kong API gateway. Previously, I was using express + passport to handle sessions. Whenever a user logs in with their credentials a session would be created with their user info attached to the req object (req.user).
Currently, I am using API keys + session + serverless functions to compare user passwords (using bycrypt lua library) from a file mapped into the Kong container. The client would send an initial login (with username and password) request with an API key to log in, the serverless function would compare the password hashes, if all that passes, the session would get created.
However, my question is, is there a way to store the username into the session database, so my upstream service can ask for that information to ensure that the session attached to username is valid?