feat: add session max lifetime and fix refresh logic

.env.example

@@ -38,6 +38,8 @@ TINYAUTH_AUTH_USERSFILE=""
 TINYAUTH_AUTH_SECURECOOKIE="true"
 # Session expiry in seconds (7200 = 2 hours)
 TINYAUTH_AUTH_SESSIONEXPIRY="7200"
+# Session maximum lifetime in seconds (0 = unlimited)
+TINYAUTH_AUTH_SESSIONMAXLIFETIME="0"
 # Login timeout in seconds (300 = 5 minutes)
 TINYAUTH_AUTH_LOGINTIMEOUT="300"
 # Maximum login retries before lockout

cmd/tinyauth/tinyauth.go

@@ -25,9 +25,10 @@ func NewTinyauthCmdConfiguration() *config.Config {
 			Address: "0.0.0.0",
 		},
 		Auth: config.AuthConfig{
-			SessionExpiry:   3600,
-			LoginTimeout:    300,
-			LoginMaxRetries: 3,
+			SessionExpiry:      3600,
+			SessionMaxLifetime: 0,
+			LoginTimeout:       300,
+			LoginMaxRetries:    3,
 		},
 		UI: config.UIConfig{
 			Title:                 "Tinyauth",

config.example.yaml

@@ -38,6 +38,8 @@ auth:
   secureCookie: false
   # Session expiry in seconds (3600 = 1 hour)
   sessionExpiry: 3600
+  # Session maximum lifetime in seconds (0 = unlimited)
+  sessionMaxLifetime: 0
   # Login timeout in seconds (300 = 5 minutes)
   loginTimeout: 300
   # Maximum login retries before lockout

internal/assets/migrations/000004_created_at.down.sql

@@ -0,0 +1 @@
+ALTER TABLE "sessions" DROP COLUMN "created_at";

internal/assets/migrations/000004_created_at.up.sql

@@ -0,0 +1 @@
+ALTER TABLE "sessions" ADD COLUMN "created_at" INTEGER NOT NULL DEFAULT 0;

internal/bootstrap/app_bootstrap.go

@@ -42,6 +42,10 @@ func NewBootstrapApp(config config.Config) *BootstrapApp {
 }
 
 func (app *BootstrapApp) Setup() error {
+	// validate session config
+	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
+		return fmt.Errorf("session max lifetime cannot be less than session expiry")
+	}
 	// Parse users
 	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile)
 

internal/bootstrap/db_bootstrap.go

@@ -27,6 +27,10 @@ func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
 		return nil, fmt.Errorf("failed to open database: %w", err)
 	}
 
+	// Limit to 1 connection to sequence writes, this may need to be revisited in the future
+	// if the sqlite connection starts being a bottleneck
+	db.SetMaxOpenConns(1)
+
 	migrations, err := iofs.New(assets.Migrations, "migrations")
 
 	if err != nil {

internal/bootstrap/service_bootstrap.go

@@ -58,14 +58,15 @@ func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, er
 	services.accessControlService = accessControlsService
 
 	authService := service.NewAuthService(service.AuthServiceConfig{
-		Users:             app.context.users,
-		OauthWhitelist:    app.config.OAuth.Whitelist,
-		SessionExpiry:     app.config.Auth.SessionExpiry,
-		SecureCookie:      app.config.Auth.SecureCookie,
-		CookieDomain:      app.context.cookieDomain,
-		LoginTimeout:      app.config.Auth.LoginTimeout,
-		LoginMaxRetries:   app.config.Auth.LoginMaxRetries,
-		SessionCookieName: app.context.sessionCookieName,
+		Users:              app.context.users,
+		OauthWhitelist:     app.config.OAuth.Whitelist,
+		SessionExpiry:      app.config.Auth.SessionExpiry,
+		SessionMaxLifetime: app.config.Auth.SessionMaxLifetime,
+		SecureCookie:       app.config.Auth.SecureCookie,
+		CookieDomain:       app.context.cookieDomain,
+		LoginTimeout:       app.config.Auth.LoginTimeout,
+		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
+		SessionCookieName:  app.context.sessionCookieName,
 	}, dockerService, ldapService, queries)
 
 	err = authService.Init()

internal/config/config.go

@@ -40,12 +40,13 @@ type ServerConfig struct {
 }
 
 type AuthConfig struct {
-	Users           string `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
-	UsersFile       string `description:"Path to the users file." yaml:"usersFile"`
-	SecureCookie    bool   `description:"Enable secure cookies." yaml:"secureCookie"`
-	SessionExpiry   int    `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
-	LoginTimeout    int    `description:"Login timeout in seconds." yaml:"loginTimeout"`
-	LoginMaxRetries int    `description:"Maximum login retries." yaml:"loginMaxRetries"`
+	Users              string `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
+	UsersFile          string `description:"Path to the users file." yaml:"usersFile"`
+	SecureCookie       bool   `description:"Enable secure cookies." yaml:"secureCookie"`
+	SessionExpiry      int    `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
+	SessionMaxLifetime int    `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
+	LoginTimeout       int    `description:"Login timeout in seconds." yaml:"loginTimeout"`
+	LoginMaxRetries    int    `description:"Maximum login retries." yaml:"loginMaxRetries"`
 }
 
 type OAuthConfig struct {

internal/controller/proxy_controller_test.go

@@ -57,13 +57,14 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 				Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
 			},
 		},
-		OauthWhitelist:    "",
-		SessionExpiry:     3600,
-		SecureCookie:      false,
-		CookieDomain:      "localhost",
-		LoginTimeout:      300,
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
+		OauthWhitelist:     "",
+		SessionExpiry:      3600,
+		SessionMaxLifetime: 0,
+		SecureCookie:       false,
+		CookieDomain:       "localhost",
+		LoginTimeout:       300,
+		LoginMaxRetries:    3,
+		SessionCookieName:  "tinyauth-session",
 	}, dockerService, nil, queries)
 
 	// Controller

internal/controller/user_controller_test.go

@@ -60,13 +60,14 @@ func setupUserController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Eng
 				TotpSecret: totpSecret,
 			},
 		},
-		OauthWhitelist:    "",
-		SessionExpiry:     3600,
-		SecureCookie:      false,
-		CookieDomain:      "localhost",
-		LoginTimeout:      300,
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
+		OauthWhitelist:     "",
+		SessionExpiry:      3600,
+		SessionMaxLifetime: 0,
+		SecureCookie:       false,
+		CookieDomain:       "localhost",
+		LoginTimeout:       300,
+		LoginMaxRetries:    3,
+		SessionCookieName:  "tinyauth-session",
 	}, nil, nil, queries)
 
 	// Controller

internal/service/auth_service.go

@@ -26,14 +26,15 @@ type LoginAttempt struct {
 }
 
 type AuthServiceConfig struct {
-	Users             []config.User
-	OauthWhitelist    string
-	SessionExpiry     int
-	SecureCookie      bool
-	CookieDomain      string
-	LoginTimeout      int
-	LoginMaxRetries   int
-	SessionCookieName string
+	Users              []config.User
+	OauthWhitelist     string
+	SessionExpiry      int
+	SessionMaxLifetime int
+	SecureCookie       bool
+	CookieDomain       string
+	LoginTimeout       int
+	LoginMaxRetries    int
+	SessionCookieName  string
 }
 
 type AuthService struct {
@@ -212,6 +213,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		TotpPending: data.TotpPending,
 		OAuthGroups: data.OAuthGroups,
 		Expiry:      time.Now().Add(time.Duration(expiry) * time.Second).Unix(),
+		CreatedAt:   time.Now().Unix(),
 		OAuthName:   data.OAuthName,
 		OAuthSub:    data.OAuthSub,
 	}
@@ -242,11 +244,19 @@ func (auth *AuthService) RefreshSessionCookie(c *gin.Context) error {
 
 	currentTime := time.Now().Unix()
 
-	if session.Expiry-currentTime > int64(time.Hour.Seconds()) {
+	var refreshThreshold int64
+
+	if auth.config.SessionExpiry <= int(time.Hour.Seconds()) {
+		refreshThreshold = int64(auth.config.SessionExpiry / 2)
+	} else {
+		refreshThreshold = int64(time.Hour.Seconds())
+	}
+
+	if session.Expiry-currentTime > refreshThreshold {
 		return nil
 	}
 
-	newExpiry := currentTime + int64(time.Hour.Seconds())
+	newExpiry := session.Expiry + refreshThreshold
 
 	_, err = auth.queries.UpdateSession(c, repository.UpdateSessionParams{
 		Username:    session.Username,
@@ -265,7 +275,8 @@ func (auth *AuthService) RefreshSessionCookie(c *gin.Context) error {
 		return err
 	}
 
-	c.SetCookie(auth.config.SessionCookieName, cookie, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
+	c.SetCookie(auth.config.SessionCookieName, cookie, int(newExpiry-currentTime), "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
+	log.Trace().Str("username", session.Username).Msg("Session cookie refreshed")
 
 	return nil
 }
@@ -306,6 +317,16 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 
 	currentTime := time.Now().Unix()
 
+	if auth.config.SessionMaxLifetime != 0 && session.CreatedAt != 0 {
+		if currentTime-session.CreatedAt > int64(auth.config.SessionMaxLifetime) {
+			err = auth.queries.DeleteSession(c, cookie)
+			if err != nil {
+				log.Error().Err(err).Msg("Failed to delete session exceeding max lifetime")
+			}
+			return config.SessionCookie{}, fmt.Errorf("session expired due to max lifetime exceeded")
+		}
+	}
+
 	if currentTime > session.Expiry {
 		err = auth.queries.DeleteSession(c, cookie)
 		if err != nil {

query.sql

@@ -8,10 +8,11 @@ INSERT INTO sessions (
     "totp_pending",
     "oauth_groups",
     "expiry",
+    "created_at",
     "oauth_name",
     "oauth_sub"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
 

schema.sql

@@ -7,6 +7,7 @@ CREATE TABLE IF NOT EXISTS "sessions" (
     "totp_pending" BOOLEAN NOT NULL,
     "oauth_groups" TEXT NULL,
     "expiry" INTEGER NOT NULL,
+    "created_at" INTEGER NOT NULL,
     "oauth_name" TEXT NULL,
     "oauth_sub" TEXT NULL
 );