feat(jans-fido) : fixed the ttl and session update issue

[imran-ishaq]

Description

Implemented a robust and reliable mechanism, aligned with the approach used in the Jans Auth Server, to properly manage session Time-To-Live (TTL) and ensure accurate updates of active sessions.

Target issue

This enhancement resolves the issue in jans-fido2 where session TTL was not being updated correctly, and active session states were not consistently refreshed. The fix ensures that session lifecycles are maintained accurately, improving overall stability and consistency of session management.

closes #13818

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced session management with improved TTL calculation for active sessions. The system now automatically recalculates session validity periods based on expiration dates, ensuring sessions maintain accurate remaining time values.

[coderabbitai]

📝 Walkthrough

Walkthrough

Modified updateSessionId() method in UserSessionIdService.java to recalculate and update session TTL based on the difference between expirationDate and current system time (in seconds), when expirationDate is non-null and computed remainingTtl is positive. Previously, only lastUsedAt was updated.

Changes

Cohort / File(s)	Summary
Session TTL Update Logic jans-fido2/server/src/main/java/io/jans/fido2/service/persist/UserSessionIdService.java	Modified updateSessionId() method to recalculate and persist updated TTL value based on remaining time before expiration, ensuring session lifetime is refreshed during FIDO2 operations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

comp-jans-fido2, kind-feature

Suggested reviewers

• yurem

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(jans-fido) : fixed the ttl and session update issue' is related to the changeset but is somewhat vague and uses a broad phrasing ('the ttl and session update issue') that doesn't convey specific implementation details, though it does reference the main change area.
Description check	✅ Passed	The description includes target issue reference (#13818), implementation details explaining the TTL management mechanism and its alignment with jans-auth-server, and acknowledges the testing/documentation checklist.
Linked Issues check	✅ Passed	The PR changes implement the core requirement from issue #13818: recalculating and updating TTL in updateSessionId() before persisting, preventing premature session expiration and ensuring active sessions extend their lifetime.
Out of Scope Changes check	✅ Passed	The modification to UserSessionIdService.updateSessionId() is directly scoped to the stated objective of fixing session TTL and expiration handling, with no extraneous changes beyond this focused fix.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jans-fido2-fix-session-update-issue

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@jans-fido2/server/src/main/java/io/jans/fido2/service/persist/UserSessionIdService.java`:
- Around line 121-126: The current TTL refresh in UserSessionIdService computes
remainingTtl from entity.getExpirationDate() and calls
entity.setTtl(remainingTtl) but never updates the entity's expirationDate, so
active sessions don't extend; change the logic to recompute and set a new
expirationDate when TTL is refreshed (e.g., compute newExpiry = now +
configuredSessionWindow or use the shared auth-server expiration calculator if
available), then call entity.setExpirationDate(newExpiry) and set
entity.setTtl((int)((newExpiry.getTime() - System.currentTimeMillis())/1000));
also handle non-positive remainingTtl by replacing stale values rather than
leaving them unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5dedb0df-6d0d-4ac4-af82-c2638b49fdee

📥 Commits

Reviewing files that changed from the base of the PR and between 8eb64c4 and a8715d4.

📒 Files selected for processing (1)

• jans-fido2/server/src/main/java/io/jans/fido2/service/persist/UserSessionIdService.java

[coderabbitai]

⚠️ Potential issue | 🟠 Major

TTL refresh logic still does not extend the session window

Line 121-126 derives ttl from the current expirationDate but never recalculates expirationDate itself, so expiry stays anchored to the old deadline. That does not satisfy the “active session extends lifetime” objective; also, when computed TTL is non-positive, stale TTL can remain unchanged.

Proposed fix

 public void updateSessionId(SessionId entity) {
-    entity.setLastUsedAt(new Date());
-    if (entity.getExpirationDate() != null) {
-        int remainingTtl = (int) ((entity.getExpirationDate().getTime() - System.currentTimeMillis()) / 1000);
-        if (remainingTtl > 0) {
-            entity.setTtl(remainingTtl);
-        }
-    }
+    final Date now = new Date();
+    entity.setLastUsedAt(now);
+
+    if (entity.getCreationDate() != null && entity.getExpirationDate() != null) {
+        final long lifetimeSeconds = Math.max(
+            1L,
+            (entity.getExpirationDate().getTime() - entity.getCreationDate().getTime()) / 1000L
+        );
+        entity.setExpirationDate(new Date(now.getTime() + lifetimeSeconds * 1000L));
+        entity.setTtl((int) lifetimeSeconds);
+    }
     persistenceEntryManager.merge(entity);
 }

If you already have a shared auth-server-style expiration calculator (state-aware), use that here to avoid drift.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@jans-fido2/server/src/main/java/io/jans/fido2/service/persist/UserSessionIdService.java`
around lines 121 - 126, The current TTL refresh in UserSessionIdService computes
remainingTtl from entity.getExpirationDate() and calls
entity.setTtl(remainingTtl) but never updates the entity's expirationDate, so
active sessions don't extend; change the logic to recompute and set a new
expirationDate when TTL is refreshed (e.g., compute newExpiry = now +
configuredSessionWindow or use the shared auth-server expiration calculator if
available), then call entity.setExpirationDate(newExpiry) and set
entity.setTtl((int)((newExpiry.getTime() - System.currentTimeMillis())/1000));
also handle non-positive remainingTtl by replacing stale values rather than
leaving them unchanged.