New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add hard expiration to Flask session #5907
Conversation
74a845a
to
30f8cec
Compare
Just wondering... should there some kind of indicator that the session will expire soon when someone uses this feature? It'd be a bit disruptive if someone is e.g. writing an abstract or minutes for an event and does not realize that the session will expire in a few minutes! |
This may make sense. Would a flash inside |
We do use flash messages in a few places, but IMHO it would be nicer to actually expose the session expiry to the client, and show a warning dialog client-side that the session will soon expire (with the option to refresh it (by going through the login again)) when getting close to the expiry. |
Hi @ThiefMaster, we were also proposing an expiration dialog of this nature to warn users when the session is about to expire and give them the opportunity to refresh: is this something we can coordinate with this pr? cc @OmeGak |
Sending a pr to @cbartz's branch sounds good to me. |
indico/modules/auth/__init__.py
Outdated
@@ -30,6 +32,12 @@ | |||
@multipass.identity_handler | |||
def process_identity(identity_info): | |||
logger.info('Received identity info: %s', identity_info) | |||
|
|||
if session_expiry := identity_info.multipass_data.get('session_expiry'): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @cbartz, please does this work when logging in with a local account? I'm getting a AttributeError: 'NoneType' object has no attribute 'get'
when logging in with a local account.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the multipass_data
is None
for local accounts. so this is currently a bug in the PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, thanks
Hi @ThiefMaster, I have sent a PR to @cbartz's branch here: cbartz#1 There are still some problems with it like some resources being fetched when opening the dialog which refreshes the session. You won't see this if you run indico with the |
Try this to prevent those requests from refreshing the session: diff --git a/indico/web/flask/session.py b/indico/web/flask/session.py
index 8637f295c4..1d7fc785dd 100644
--- a/indico/web/flask/session.py
+++ b/indico/web/flask/session.py
@@ -162,6 +162,9 @@ class IndicoSessionInterface(SessionInterface):
return self.temporary_session_lifetime
def should_refresh_session(self, app, session):
+ if (request.blueprint == 'assets' or
+ (request.blueprint.startswith('plugin_') and request.endpoint.endswith('.static'))):
+ return False
if session.new or '_expires' not in session:
return False
threshold = self.get_storage_lifetime(app, session) / 2 Or replace that whole if condition with |
@@ -25,4 +26,7 @@ | |||
{{ render_announcements() }} | |||
{% endblock %} | |||
{% block body %}{% endblock %} | |||
{% block session_expiration %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@SegiNyn do you override that block on your side? or is it a leftover that's no longer needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, sorry this is a leftover that's not being used
d8018b1
to
8ee74d9
Compare
I forcepushed some cleanups and also getting rid of those merge commits while rebasing |
@SegiNyn some feedback after testing this:
|
Also, considering that the dialog still needs a bit of work and is not as straightforward as I originally thought, I'm thinking about merging this PR without the dialog stuff tomorrow (3.3 is under development so having no indicator of a soon-expiring session for the time being is fine). That way we avoid the indirection of PRs to a fork, and reviewing the dialog stuff properly will be easier... |
hi @ThiefMaster, Yes I did notice the issue with the buttons which basically do the same thing but I had not thought of how disruptive it would be to refresh the page while the user is filling in an abstract. So I can add a custom dialog for this part. It's ok for me if you merge this pr with the hard expiry and then I create a different one for the dialog. I'm not going to be in tomorrow so I cannot work on it until Monday anyway. |
d213be1
to
8e9778d
Compare
Make sure the expiry is set as the function may return before the end, where the logic was placed before.
Co-authored-by: Adrian <adrian@planetcoding.net>
df4cdde
to
6d27d38
Compare
@SegiNyn I pushed a branch containing your changes, rebased on top of the latest master, to |
Thanks for merging the PR @ThiefMaster |
This PR adds the ability to set a hard expiration for the Flask session. This can be used in conjunction with a Flask Multipass identity provider that specifies the session expiration. See this post for more details on use cases and implementation considerations.