Add config option for expiration of sessions/tokens

2025-07-23 12:51:40 +02:00 · 2022-02-16 11:50:25 +01:00
parent b685462cb2
commit 19b2b6c2a9
2 changed files with 30 additions and 3 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -12,6 +12,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"time"

 	"github.com/ClusterCockpit/cc-backend/log"
 	sq "github.com/Masterminds/squirrel"
@@ -60,6 +61,10 @@ type Authentication struct {

 	ldapConfig           *LdapConfig
 	ldapSyncUserPassword string
+
+	// If zero, tokens/sessions do not expire.
+	SessionMaxAge time.Duration
+	JwtMaxAge     time.Duration
 }

 func (auth *Authentication) Init(db *sqlx.DB, ldapConfig *LdapConfig) error {
@@ -208,7 +213,9 @@ func (auth *Authentication) Login(onsuccess http.Handler, onfailure func(rw http
 			return
 		}

-		session.Options.MaxAge = 30 * 24 * 60 * 60
+		if auth.SessionMaxAge != 0 {
+			session.Options.MaxAge = int(auth.SessionMaxAge.Seconds())
+		}
 		session.Values["username"] = user.Username
 		session.Values["roles"] = user.Roles
 		if err := auth.sessionStore.Save(r, rw, session); err != nil {
@@ -320,10 +327,15 @@ func (auth *Authentication) ProvideJWT(user *User) (string, error) {
 		return "", errors.New("environment variable 'JWT_PRIVATE_KEY' not set")
 	}

-	tok := jwt.NewWithClaims(jwt.SigningMethodEdDSA, jwt.MapClaims{
+	claims := jwt.MapClaims{
 		"sub":   user.Username,
 		"roles": user.Roles,
-	})
+	}
+	if auth.JwtMaxAge != 0 {
+		claims["exp"] = time.Now().Add(auth.JwtMaxAge).Unix()
+	}
+
+	tok := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)

 	return tok.SignedString(auth.jwtPrivateKey)
 }