From 8475f5bccd8ba48a1c91789160f6c0ddf129aafe Mon Sep 17 00:00:00 2001 From: Thomas Sileo Date: Mon, 21 Nov 2022 20:43:51 +0100 Subject: [PATCH] Fix admin session timeout --- app/admin.py | 3 ++- app/config.py | 3 +++ app/templates.py | 5 +++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/app/admin.py b/app/admin.py index e837c46..17a06cb 100644 --- a/app/admin.py +++ b/app/admin.py @@ -30,6 +30,7 @@ from app.boxes import send_block from app.boxes import send_follow from app.boxes import send_unblock from app.config import EMOJIS +from app.config import SESSION_TIMEOUT from app.config import generate_csrf_token from app.config import session_serializer from app.config import verify_csrf_token @@ -66,7 +67,7 @@ async def user_session_or_redirect( raise _RedirectToLoginPage try: - loaded_session = session_serializer.loads(session, max_age=3600 * 24 * 3) + loaded_session = session_serializer.loads(session, max_age=SESSION_TIMEOUT) except Exception: logger.exception("Failed to validate admin session") raise _RedirectToLoginPage diff --git a/app/config.py b/app/config.py index 132030f..54bd4e1 100644 --- a/app/config.py +++ b/app/config.py @@ -116,6 +116,8 @@ class Config(pydantic.BaseModel): sqlalchemy_database: str | None = None key_path: str | None = None + session_timeout: int = 3600 * 24 * 3 # in seconds, 3 days by default + # Only set when the app is served on a non-root path id: str | None = None @@ -171,6 +173,7 @@ ALSO_KNOWN_AS = CONFIG.also_known_as CUSTOM_CONTENT_SECURITY_POLICY = CONFIG.custom_content_security_policy INBOX_RETENTION_DAYS = CONFIG.inbox_retention_days +SESSION_TIMEOUT = CONFIG.session_timeout CUSTOM_FOOTER = ( markdown(CONFIG.custom_footer.replace("{version}", VERSION)) if CONFIG.custom_footer diff --git a/app/templates.py b/app/templates.py index e33c588..ea4fb26 100644 --- a/app/templates.py +++ b/app/templates.py @@ -27,6 +27,7 @@ from app.ap_object import Object from app.config import BASE_URL from app.config import CUSTOM_FOOTER from app.config import DEBUG +from app.config import SESSION_TIMEOUT from app.config import VERSION from app.config import generate_csrf_token from app.config import session_serializer @@ -69,10 +70,10 @@ def is_current_user_admin(request: Request) -> bool: try: loaded_session = session_serializer.loads( session_cookie, - max_age=3600 * 12, + max_age=SESSION_TIMEOUT, ) except Exception: - pass + logger.exception("Failed to validate session timeout") else: is_admin = loaded_session.get("is_logged_in")