One of your users session token was compromised - your only recourse is changing the secret and logging out everyone.
Cool project, by the way! Thank you for making it open source. I had a similar use case where I added an extra Nginx just for auth_request, this makes me reevaluate.
I use ngx_http_auth_request_module a lot and used haproxy a lot in the past but it's currently too limiting for my usecases - now i know it supports lua we're in a whole different ballgame.
You're welcome. I like giving back to Open Source.
> but it's currently too limiting for my usecases
My personal experience is the opposite: For one project I specifically slapped on an haproxy in front of the nginx after the fact, because I considered it's HTTP "rewriting" abilities way superior.
What I could do with a single ACL + http-response set-header (setting a specific CSP for a single path only) would have resulted in great pain with nginx only.