smokesignal.events / smokesignal
The smokesignal.events web application
fork atom

bug: access tokens can be expired in cookies because we refresh them

Nick Gerakines 4042bbcf 64039b27

+10 -10
unified split
+10 -1
src/http/handle_oauth.rs
··· 34 34 use axum_htmx::{HxBoosted, HxRedirect, HxRequest}; 35 35 use axum_template::RenderHtml; 36 36 use chrono::{Duration, Utc}; 37 + use cookie::time::OffsetDateTime; 37 38 use http::StatusCode; 38 39 use minijinja::context as template_context; 39 40 use rand::{Rng, distr::Alphanumeric}; ··· 759 760 760 761 let cookie_value: String = session_cookie.try_into()?; 761 762 763 + let mut cookie_expires = OffsetDateTime::now_utc(); 764 + cookie_expires += Duration::weeks(52); 765 + 762 766 let mut cookie = Cookie::new(AUTH_COOKIE_NAME, cookie_value); 763 767 cookie.set_domain(web_context.config.external_base.clone()); 764 768 cookie.set_path("/"); 765 769 cookie.set_http_only(true); 766 770 cookie.set_secure(true); 767 771 cookie.set_max_age(Some(cookie::time::Duration::days(365))); // Longer expiry since we have refresh tokens 772 + cookie.set_expires(cookie_expires); 768 773 cookie.set_same_site(Some(SameSite::Lax)); 769 774 770 775 let updated_jar = jar.add(cookie); ··· 908 913 909 914 let cookie_value: String = new_session.try_into()?; 910 915 916 + let mut cookie_expires = OffsetDateTime::now_utc(); 917 + cookie_expires += Duration::weeks(52); 918 + 911 919 let mut cookie = Cookie::new(AUTH_COOKIE_NAME, cookie_value); 912 920 cookie.set_domain(web_context.config.external_base.clone()); 913 921 cookie.set_path("/"); 914 922 cookie.set_http_only(true); 915 923 cookie.set_secure(true); 916 - cookie.set_max_age(Some(cookie::time::Duration::days(30))); 924 + cookie.set_max_age(Some(cookie::time::Duration::days(365))); // Longer expiry since we have refresh tokens 925 + cookie.set_expires(cookie_expires); 917 926 cookie.set_same_site(Some(SameSite::Lax)); 918 927 919 928 let updated_jar = jar.add(cookie);
-9
src/http/middleware_auth.rs
··· 128 128 if let Some(session_cookie) = session { 129 129 trace!(did = %session_cookie.did, "Found session cookie"); 130 130 131 - // Check if token is expired 132 - if session_cookie.is_expired() { 133 - debug!(did = %session_cookie.did, "Session token expired"); 134 - // Token is expired, but we could potentially refresh it 135 - // For now, treat as unauthenticated and let user re-login 136 - // A more sophisticated approach would auto-refresh here 137 - return Ok(Auth::Unauthenticated); 138 - } 139 - 140 131 // Look up the user's profile from the database 141 132 match crate::storage::identity_profile::handle_for_did( 142 133 &web_context.pool,