FEATURE: configure session time via site setting for all the users (#…

…4343)
discourse · Jul 22, 2016 · a9207da · a9207da · xfalcox · Jul 22, 2016
1 parent b2289d7
commit a9207da
Show file tree

Hide file tree

Showing 8 changed files with 19 additions and 12 deletions.
diff --git a/app/models/post.rb b/app/models/post.rb
@@ -708,6 +708,7 @@ def create_reply_relationship_with(post)
 # Indexes
 #
 #  idx_posts_created_at_topic_id            (created_at,topic_id)
+#  idx_posts_deleted_posts                  (topic_id,post_number)
 #  idx_posts_user_id_deleted_at             (user_id)
 #  index_posts_on_reply_to_post_number      (reply_to_post_number)
 #  index_posts_on_topic_id_and_post_number  (topic_id,post_number) UNIQUE

diff --git a/app/models/site_customization.rb b/app/models/site_customization.rb
@@ -284,6 +284,7 @@ def self.link_css_tag(href)
 #  mobile_header_baked     :text
 #  footer_baked            :text
 #  mobile_footer_baked     :text
+#  compiler_version        :integer          default(0), not null
 #
 # Indexes
 #

diff --git a/app/models/unsubscribe_key.rb b/app/models/unsubscribe_key.rb
@@ -34,6 +34,7 @@ def generate_random_key
 #  updated_at           :datetime
 #  unsubscribe_key_type :string
 #  topic_id             :integer
+#  post_id              :integer
 #
 # Indexes
 #

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -1048,6 +1048,7 @@ def update_previous_visit(timestamp)
 #  trust_level_locked      :boolean          default(FALSE), not null
 #  staged                  :boolean          default(FALSE), not null
 #  first_seen_at           :datetime
+#  auth_token_created_at   :datetime
 #
 # Indexes
 #

diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
@@ -909,7 +909,7 @@ en:
     post_undo_action_window_mins: "Number of minutes users are allowed to undo recent actions on a post (like, flag, etc)."
     must_approve_users: "Staff must approve all new user accounts before they are allowed to access the site. WARNING: enabling this for a live site will revoke access for existing non-staff users!"
     pending_users_reminder_delay: "Notify moderators if new users have been waiting for approval for longer than this many hours. Set to -1 to disable notifications."
-    permanent_session_cookie: "Use a permanent cookie that persists after closing the browser. When disabling this, you may want to log out everyone programmatically."
+    maximum_session_age: "User will remain logged in for n hours."
     ga_tracking_code: "OBSOLETE: Google analytics (ga.js) tracking code code, eg: UA-12345678-9; see http://google.com/analytics"
     ga_domain_name: "OBSOLETE: Google analytics (ga.js) domain name, eg: mysite.com; see http://google.com/analytics"
     ga_universal_tracking_code: "Google Universal Analytics (analytics.js) tracking code code, eg: UA-12345678-9; see http://google.com/analytics"

diff --git a/config/site_settings.yml b/config/site_settings.yml
@@ -304,7 +304,10 @@ login:
   pending_users_reminder_delay:
     min: -1
     default: 8
-  permanent_session_cookie: true
+  maximum_session_age:
+    default: 2160
+    min: 1
+    max: 175200
 
 users:
   min_username_length:

diff --git a/db/migrate/20160722071221_add_auth_token_created_at_to_users.rb b/db/migrate/20160722071221_add_auth_token_created_at_to_users.rb
@@ -0,0 +1,5 @@
+class AddAuthTokenCreatedAtToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :auth_token_created_at, :datetime, null: true
+  end
+end
diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb
@@ -36,7 +36,7 @@ def current_user
     current_user = nil
 
     if auth_token && auth_token.length == 32
-      current_user = User.find_by(auth_token: auth_token)
+      current_user = User.where(auth_token: auth_token).where('auth_token_created_at IS NULL OR auth_token_created_at > ?', SiteSetting.maximum_session_age.hours.ago).first
     end
 
     if current_user && (current_user.suspended? || !current_user.active)
@@ -62,15 +62,10 @@ def current_user
   end
 
   def log_on_user(user, session, cookies)
-    unless user.auth_token && user.auth_token.length == 32
-      user.auth_token = SecureRandom.hex(16)
-      user.save!
-    end
-    if SiteSetting.permanent_session_cookie
-      cookies.permanent[TOKEN_COOKIE] = { value: user.auth_token, httponly: true }
-    else
-      cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true }
-    end
+    user.auth_token = SecureRandom.hex(16)
+    user.auth_token_created_at = Time.zone.now
+    user.save!
+    cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }
     make_developer_admin(user)
     enable_bootstrap_mode(user)
     @env[CURRENT_USER_KEY] = user