Add hard expiration to Flask session #5907
Conversation
cbartz
force-pushed
the
multipass-session-expiry
branch
from
74a845a
to
30f8cec
Compare
|
Just wondering... should there some kind of indicator that the session will expire soon when someone uses this feature? It'd be a bit disruptive if someone is e.g. writing an abstract or minutes for an event and does not realize that the session will expire in a few minutes! |
This may make sense. Would a flash inside |
|
We do use flash messages in a few places, but IMHO it would be nicer to actually expose the session expiry to the client, and show a warning dialog client-side that the session will soon expire (with the option to refresh it (by going through the login again)) when getting close to the expiry. |
Hi @ThiefMaster, we were also proposing an expiration dialog of this nature to warn users when the session is about to expire and give them the opportunity to refresh: is this something we can coordinate with this pr? cc @OmeGak |
|
Sending a pr to @cbartz's branch sounds good to me. |
indico/modules/auth/__init__.py
Outdated
| @@ -30,6 +32,12 @@ | |||
| @multipass.identity_handler | |||
| def process_identity(identity_info): | |||
| logger.info('Received identity info: %s', identity_info) | |||
|
|
|||
| if session_expiry := identity_info.multipass_data.get('session_expiry'): | |||
There was a problem hiding this comment.
Hi @cbartz, please does this work when logging in with a local account? I'm getting a AttributeError: 'NoneType' object has no attribute 'get' when logging in with a local account.
There was a problem hiding this comment.
the multipass_data is None for local accounts. so this is currently a bug in the PR
|
Hi @ThiefMaster, I have sent a PR to @cbartz's branch here: cbartz#1 There are still some problems with it like some resources being fetched when opening the dialog which refreshes the session. You won't see this if you run indico with the |
|
Try this to prevent those requests from refreshing the session: diff --git a/indico/web/flask/session.py b/indico/web/flask/session.py
index 8637f295c4..1d7fc785dd 100644
--- a/indico/web/flask/session.py
+++ b/indico/web/flask/session.py
@@ -162,6 +162,9 @@ class IndicoSessionInterface(SessionInterface):
return self.temporary_session_lifetime
def should_refresh_session(self, app, session):
+ if (request.blueprint == 'assets' or
+ (request.blueprint.startswith('plugin_') and request.endpoint.endswith('.static'))):
+ return False
if session.new or '_expires' not in session:
return False
threshold = self.get_storage_lifetime(app, session) / 2Or replace that whole if condition with |
| @@ -25,4 +26,7 @@ | |||
| {{ render_announcements() }} | |||
| {% endblock %} | |||
| {% block body %}{% endblock %} | |||
| {% block session_expiration %} | |||
There was a problem hiding this comment.
@SegiNyn do you override that block on your side? or is it a leftover that's no longer needed?
There was a problem hiding this comment.
Yes, sorry this is a leftover that's not being used
ThiefMaster
force-pushed
the
multipass-session-expiry
branch
from
d8018b1
to
8ee74d9
Compare
|
I forcepushed some cleanups and also getting rid of those merge commits while rebasing |
|
@SegiNyn some feedback after testing this:
|
|
Also, considering that the dialog still needs a bit of work and is not as straightforward as I originally thought, I'm thinking about merging this PR without the dialog stuff tomorrow (3.3 is under development so having no indicator of a soon-expiring session for the time being is fine). That way we avoid the indirection of PRs to a fork, and reviewing the dialog stuff properly will be easier... |
|
hi @ThiefMaster, Yes I did notice the issue with the buttons which basically do the same thing but I had not thought of how disruptive it would be to refresh the page while the user is filling in an abstract. So I can add a custom dialog for this part. It's ok for me if you merge this pr with the hard expiry and then I create a different one for the dialog. I'm not going to be in tomorrow so I cannot work on it until Monday anyway. |
ThiefMaster
force-pushed
the
multipass-session-expiry
branch
from
d213be1
to
8e9778d
Compare
Make sure the expiry is set as the function may return before the end, where the logic was placed before.
Co-authored-by: Adrian <adrian@planetcoding.net>
ThiefMaster
force-pushed
the
multipass-session-expiry
branch
from
df4cdde
to
6d27d38
Compare
|
@SegiNyn I pushed a branch containing your changes, rebased on top of the latest master, to |
|
Thanks for merging the PR @ThiefMaster |
This PR adds the ability to set a hard expiration for the Flask session. This can be used in conjunction with a Flask Multipass identity provider that specifies the session expiration. See this post for more details on use cases and implementation considerations.