smokesignal.events
The smokesignal.events web application
bug: access tokens can be expired in cookies because we refresh them
+10
-1
src/http/handle_oauth.rs
+10
-1
src/http/handle_oauth.rs
···
34
use axum_htmx::{HxBoosted, HxRedirect, HxRequest};
35
use axum_template::RenderHtml;
36
use chrono::{Duration, Utc};
37
use http::StatusCode;
38
use minijinja::context as template_context;
39
use rand::{Rng, distr::Alphanumeric};
···
759
760
let cookie_value: String = session_cookie.try_into()?;
761
762
let mut cookie = Cookie::new(AUTH_COOKIE_NAME, cookie_value);
763
cookie.set_domain(web_context.config.external_base.clone());
764
cookie.set_path("/");
765
cookie.set_http_only(true);
766
cookie.set_secure(true);
767
cookie.set_max_age(Some(cookie::time::Duration::days(365))); // Longer expiry since we have refresh tokens
768
cookie.set_same_site(Some(SameSite::Lax));
769
770
let updated_jar = jar.add(cookie);
···
908
909
let cookie_value: String = new_session.try_into()?;
910
911
let mut cookie = Cookie::new(AUTH_COOKIE_NAME, cookie_value);
912
cookie.set_domain(web_context.config.external_base.clone());
913
cookie.set_path("/");
914
cookie.set_http_only(true);
915
cookie.set_secure(true);
916
-
cookie.set_max_age(Some(cookie::time::Duration::days(30)));
917
cookie.set_same_site(Some(SameSite::Lax));
918
919
let updated_jar = jar.add(cookie);
···
34
use axum_htmx::{HxBoosted, HxRedirect, HxRequest};
35
use axum_template::RenderHtml;
36
use chrono::{Duration, Utc};
37
+
use cookie::time::OffsetDateTime;
38
use http::StatusCode;
39
use minijinja::context as template_context;
40
use rand::{Rng, distr::Alphanumeric};
···
760
761
let cookie_value: String = session_cookie.try_into()?;
762
763
+
let mut cookie_expires = OffsetDateTime::now_utc();
764
+
cookie_expires += Duration::weeks(52);
765
+
766
let mut cookie = Cookie::new(AUTH_COOKIE_NAME, cookie_value);
767
cookie.set_domain(web_context.config.external_base.clone());
768
cookie.set_path("/");
769
cookie.set_http_only(true);
770
cookie.set_secure(true);
771
cookie.set_max_age(Some(cookie::time::Duration::days(365))); // Longer expiry since we have refresh tokens
772
+
cookie.set_expires(cookie_expires);
773
cookie.set_same_site(Some(SameSite::Lax));
774
775
let updated_jar = jar.add(cookie);
···
913
914
let cookie_value: String = new_session.try_into()?;
915
916
+
let mut cookie_expires = OffsetDateTime::now_utc();
917
+
cookie_expires += Duration::weeks(52);
918
+
919
let mut cookie = Cookie::new(AUTH_COOKIE_NAME, cookie_value);
920
cookie.set_domain(web_context.config.external_base.clone());
921
cookie.set_path("/");
922
cookie.set_http_only(true);
923
cookie.set_secure(true);
924
+
cookie.set_max_age(Some(cookie::time::Duration::days(365))); // Longer expiry since we have refresh tokens
925
+
cookie.set_expires(cookie_expires);
926
cookie.set_same_site(Some(SameSite::Lax));
927
928
let updated_jar = jar.add(cookie);
-9
src/http/middleware_auth.rs
-9
src/http/middleware_auth.rs
···
128
if let Some(session_cookie) = session {
129
trace!(did = %session_cookie.did, "Found session cookie");
130
131
-
// Check if token is expired
132
-
if session_cookie.is_expired() {
133
-
debug!(did = %session_cookie.did, "Session token expired");
134
-
// Token is expired, but we could potentially refresh it
135
-
// For now, treat as unauthenticated and let user re-login
136
-
// A more sophisticated approach would auto-refresh here
137
-
return Ok(Auth::Unauthenticated);
138
-
}
139
-
140
// Look up the user's profile from the database
141
match crate::storage::identity_profile::handle_for_did(
142
&web_context.pool,