fix: fix session handling (remove IdleTimeout)

frontend/src/router/index.js

@@ -125,7 +125,7 @@ router.beforeEach(async (to) => {
 
 router.afterEach(async (to, from) => {
   const sec = securityStore()
-  const csrfPages = ['/login']
+  const csrfPages = ['/', '/login']
 
   if (csrfPages.includes(to.path)) {
     await sec.LoadSecurityProperties() // make sure we have a valid csrf token

internal/app/api/core/assets/doc/v0_swagger.json

@@ -58,7 +58,7 @@
             }
         },
         "/auth/logout": {
-            "get": {
+            "post": {
                 "produces": [
                     "application/json"
                 ],
@@ -66,15 +66,12 @@
                     "Authentication"
                 ],
                 "summary": "Get all available external login providers.",
-                "operationId": "auth_handleLogoutGet",
+                "operationId": "auth_handleLogoutPost",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/model.LoginProviderInfo"
-                            }
+                            "$ref": "#/definitions/model.Error"
                         }
                     }
                 }
@@ -1523,23 +1520,23 @@
         "model.AuditEntry": {
             "type": "object",
             "properties": {
+                "ContextUser": {
+                    "type": "string"
+                },
+                "Id": {
+                    "type": "integer"
+                },
                 "Message": {
                     "type": "string"
                 },
-                "ctx_user": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "integer"
-                },
-                "origin": {
+                "Origin": {
                     "description": "origin: for example user auth, stats, ...",
                     "type": "string"
                 },
-                "severity": {
+                "Severity": {
                     "type": "string"
                 },
-                "timestamp": {
+                "Timestamp": {
                     "type": "string"
                 }
             }

internal/app/api/core/assets/doc/v0_swagger.yaml

@@ -2,18 +2,18 @@ basePath: /api/v0
 definitions:
   model.AuditEntry:
     properties:
+      ContextUser:
+        type: string
+      Id:
+        type: integer
       Message:
         type: string
-      ctx_user:
-        type: string
-      id:
-        type: integer
-      origin:
+      Origin:
         description: 'origin: for example user auth, stats, ...'
         type: string
-      severity:
+      Severity:
         type: string
-      timestamp:
+      Timestamp:
         type: string
     type: object
   model.ConfigOption-array_string:
@@ -496,17 +496,15 @@ paths:
       tags:
       - Authentication
   /auth/logout:
-    get:
-      operationId: auth_handleLogoutGet
+    post:
+      operationId: auth_handleLogoutPost
       produces:
       - application/json
       responses:
         "200":
           description: OK
           schema:
-            items:
-              $ref: '#/definitions/model.LoginProviderInfo'
-            type: array
+            $ref: '#/definitions/model.Error'
       summary: Get all available external login providers.
       tags:
       - Authentication

internal/app/api/v0/handlers/base.go

@@ -57,9 +57,11 @@ func NewRestApi(
 	return func() (core.ApiVersion, core.GroupSetupFn) {
 		return "v0", func(group *routegroup.Bundle) {
 			csrfMiddleware := csrf.New(func(r *http.Request) string {
-				return session.GetString(r.Context(), "csrf_token")
+				return session.GetData(r.Context()).CsrfToken
 			}, func(r *http.Request, token string) {
-				session.Put(r.Context(), "csrf_token", token)
+				currentSession := session.GetData(r.Context())
+				currentSession.CsrfToken = token
+				session.SetData(r.Context(), currentSession)
 			})
 
 			group.Use(session.LoadAndSave)

internal/app/api/v0/handlers/endpoint_authentication.go

@@ -295,6 +295,9 @@ func (e AuthEndpoint) handleOauthCallbackGet() http.HandlerFunc {
 }
 
 func (e AuthEndpoint) setAuthenticatedUser(r *http.Request, user *domain.User) {
+	// start a fresh session
+	e.session.DestroyData(r.Context())
+
 	currentSession := e.session.GetData(r.Context())
 
 	currentSession.LoggedIn = true
@@ -358,12 +361,12 @@ func (e AuthEndpoint) handleLoginPost() http.HandlerFunc {
 
 // handleLogoutPost returns a gorm Handler function.
 //
-// @ID auth_handleLogoutGet
+// @ID auth_handleLogoutPost
 // @Tags Authentication
 // @Summary Get all available external login providers.
 // @Produce json
-// @Success 200 {object} []model.LoginProviderInfo
-// @Router /auth/logout [get]
+// @Success 200 {object} model.Error
+// @Router /auth/logout [post]
 func (e AuthEndpoint) handleLogoutPost() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		currentSession := e.session.GetData(r.Context())

internal/app/api/v0/handlers/web_session.go

@@ -43,7 +43,6 @@ type SessionWrapper struct {
 func NewSessionWrapper(cfg *config.Config) *SessionWrapper {
 	sessionManager := scs.New()
 	sessionManager.Lifetime = 24 * time.Hour
-	sessionManager.IdleTimeout = 1 * time.Hour
 	sessionManager.Cookie.Name = cfg.Web.SessionIdentifier
 	sessionManager.Cookie.Secure = strings.HasPrefix(cfg.Web.ExternalUrl, "https")
 	sessionManager.Cookie.HttpOnly = true