add rolling expiry with max age

keygen-sh · Feb 24, 2025 · c7b1233 · c7b1233
1 parent 5cc3e01
commit c7b1233
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/app/controllers/api/v1/tokens_controller.rb b/app/controllers/api/v1/tokens_controller.rb
@@ -84,7 +84,7 @@ def generate
 
       # TODO(ezekg) make default session expiry configurable
       session = token.sessions.build(
-        expiry: token.expiry.presence || (1.week + 12.hours).from_now,
+        expiry: token.expiry.presence || 1.week.from_now,
         user_agent: request.user_agent,
         ip: request.remote_ip,
       )

diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
@@ -127,6 +127,7 @@ def http_cookie_authenticator(cookie_jar)
 
     if session.last_used_at.nil? || session.last_used_at.before?(1.hour.ago)
       session.update(
+        expiry: session.expiry + 12.hours, # extend expiry while in use until MAX_AGE
         last_used_at: Time.current,
         user_agent: request.user_agent,
         ip: request.remote_ip,

diff --git a/app/models/session.rb b/app/models/session.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Session < ApplicationRecord
+  MAX_AGE = 2.weeks
+
   include Denormalizable
   include Environmental
   include Accountable
@@ -15,5 +17,5 @@ class Session < ApplicationRecord
   denormalizes :bearer_type, :bearer_id,
     from: :token
 
-  def expired? = expiry < Time.current
+  def expired? = expiry < Time.current || created_at < MAX_AGE.ago
 end