feat: ability to have expiry times increased on session activity

adamcooke · May 2, 2022 · a67dbbe · a67dbbe
1 parent 41431a6
commit a67dbbe
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 0 deletions.
diff --git a/lib/authie/config.rb b/lib/authie/config.rb
@@ -9,6 +9,7 @@ class Config
     attr_accessor :sudo_session_timeout
     attr_accessor :browser_id_cookie_name
     attr_accessor :session_token_length
+    attr_accessor :extend_session_expiry_on_touch
     attr_accessor :events
 
     def initialize
@@ -17,6 +18,7 @@ def initialize
       @sudo_session_timeout = 10.minutes
       @browser_id_cookie_name = :browser_id
       @session_token_length = 64
+      @extend_session_expiry_on_touch = false
       @events = EventManager.new
     end
   end

diff --git a/lib/authie/session.rb b/lib/authie/session.rb
@@ -92,6 +92,7 @@ def touch
       @session.last_activity_ip = @controller.request.ip
       @session.last_activity_path = @controller.request.path
       @session.requests += 1
+      extend_session_expiry_if_appropriate
       @session.save!
       Authie.config.events.dispatch(:session_touched, self)
       self
@@ -210,6 +211,16 @@ def validate_host
       self
     end
 
+    def extend_session_expiry_if_appropriate
+      return if @session.expires_at.nil?
+      return unless Authie.config.extend_session_expiry_on_touch
+
+      # If enabled, sessions with an expiry time will automatiaclly be incremented
+      # whenever a page is touched. The cookie will also be updated as appropriate.
+      @session.expires_at = Authie.config.persistent_session_length.from_now
+      set_cookie
+    end
+
     class << self
       # Create a new session within the given controller for the
       #

diff --git a/spec/lib/session_spec.rb b/spec/lib/session_spec.rb
@@ -153,6 +153,57 @@
       expect(Authie.config.events).to receive(:dispatch).with(:session_touched, session)
       session.touch
     end
+
+    context 'when session expiry extension is not enabled' do
+      subject(:session_model) do
+        Authie::SessionModel.create!(user: user, browser_id: browser_id, expires_at: 4.hours.from_now)
+      end
+
+      before { allow(Authie.config).to receive(:extend_session_expiry_on_touch).and_return(false) }
+
+      it 'does not extend the expiry date on the session' do
+        original_time = session_model.expires_at
+        Timecop.freeze(original_time + 10.hours) { session.touch }
+        session.session.reload
+        expect(session.expires_at).to eq original_time
+      end
+
+      it 'does not set the expiry time' do
+        expect(session.session).to_not receive(:expires_at=)
+        session.touch
+      end
+
+      it 'does not update the cookie' do
+        expect(session).to_not receive(:set_cookie)
+        session.touch
+      end
+    end
+
+    context 'when session expiry extension is enabled' do
+      subject(:session_model) do
+        Authie::SessionModel.create!(user: user, browser_id: browser_id, expires_at: Time.now)
+      end
+
+      before { allow(Authie.config).to receive(:extend_session_expiry_on_touch).and_return(true) }
+
+      it 'does not set the expiry time' do
+        expect(session.session).to receive(:expires_at=).and_call_original
+        session.touch
+      end
+
+      it 'extends the expiry date on the session' do
+        time = session_model.created_at
+        Timecop.freeze(time) { session.touch }
+        session.session.reload
+        expect(session.expires_at).to eq time + Authie.config.persistent_session_length
+      end
+
+      it 'updates the cookie' do
+        time = session_model.created_at
+        Timecop.freeze(time) { session.touch }
+        expect(set_cookies['user_session'][:expires]).to eq time + Authie.config.persistent_session_length
+      end
+    end
   end
 
   describe '#see_password' do