From e54bc82e422d73e292d1255548c5c2cd9475aa07 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Sun, 7 Mar 2021 03:26:07 +0100
Subject: [PATCH] add support for a session timeout

---
 app.py            | 10 +++++++++-
 default_config.py |  1 +
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/app.py b/app.py
index 878f451..b91ee7d 100644
--- a/app.py
+++ b/app.py
@@ -16,9 +16,16 @@ def create_app(test_config=None):
 	# oauthlib enforces the OAuth2.0 requirement to use HTTPS, when this is not set
 	os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1' # That behaviour sucks, so disable it
 
+	def session_valid():
+		if not session.get('user_id'):
+			return False
+		if datetime.datetime.now().timestamp() > session['logintime'] + current_app.config['SESSION_LIFETIME_SECONDS']:
+			return False
+		return True
+
 	@app.route("/auth")
 	def auth():
-		if not session.get('user_id'):
+		if not session_valid():
 			abort(401)
 		resp = Response('Ok', 200)
 		resp.headers['OAUTH-USER-ID'] = session['user_id']
@@ -38,6 +45,7 @@ def create_app(test_config=None):
 		client = get_oauth()
 		url, state = client.authorization_url(app.config['OAUTH2_AUTH_URL'])
 		session['state'] = state
+		session['logintime'] = datetime.datetime.now().timestamp()
 		parts = request.full_path.split('?rawurl=', 1)
 		if len(parts) == 2:
 			session['url'] = parts[1]
diff --git a/default_config.py b/default_config.py
index 4d3d061..cb01286 100644
--- a/default_config.py
+++ b/default_config.py
@@ -12,3 +12,4 @@ OAUTH2_USERINFO_URL = 'http://localhost:5001/oauth2/userinfo'
 SESSION_COOKIE_SECURE=True
 SESSION_COOKIE_HTTPONLY=True
 SESSION_COOKIE_SAMESITE='Strict'
+SESSION_LIFETIME_SECONDS=3600
-- 
GitLab