[PATCH] session: force a session to be terminated after 30 days
Export this patch
We don't want to keep a session alive forever just because someone has
their browser tab with an connection to an alps instance open.
This resolves https://todo.sr.ht/~migadu/alps/146
Signed-off-by: Silvan Jegen <s.jegen@gmail.com>
---
session.go | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/session.go b/session.go
index a85bff6..2de5620 100644
--- a/session.go
+++ b/session.go
@@ -19,8 +19,15 @@ import (
)
// TODO: make this configurable
-const sessionDuration = 30 * time.Minute
-const maxAttachmentSize = 32 << 20 // 32 MiB
+const (
+ sessionDuration = 30 * time.Minute
+ maxAttachmentSize = 32 << 20 // 32 MiB
+
+ // mandatoryLogoutAfter indicates the amount of time that a
+ // session can be active before it is terminated and the user has
+ // to login again.
+ mandatoryLogoutAfter = 30 * 24 * time.Hour
+)
func generateToken() (string, error) {
b := make([]byte, 32)
@@ -306,6 +313,7 @@ func (sm *SessionManager) Put(username, password string) (*Session, error) {
go func() {
timer := time.NewTimer(sessionDuration)
+ mandatoryLogout := time.NewTimer(mandatoryLogoutAfter)
alive := true
for alive {
@@ -319,10 +327,13 @@ func (sm *SessionManager) Put(username, password string) (*Session, error) {
alive = false
case <-s.closed:
alive = false
+ case <-mandatoryLogout.C:
+ alive = false
}
}
timer.Stop()
+ mandatoryLogout.Stop()
s.imapLocker.Lock()
if s.imapConn != nil {
--
2.47.1
Thanks for sending a patch! Not sure this is really something desirable
though. I've added a comment on the issue.