add session expiration fields to auth method form and model

gatekeeper/forms.py

@@ -163,6 +163,18 @@ class AuthMethodForm(forms.ModelForm):
         required=False,
         help_text=_('Enter a 6-digit PIN generated by your authenticator app to validate the secret.')
     )
+    session_expiration_value = forms.IntegerField(
+        label=_('Session Expiration'),
+        min_value=1,
+        required=False,
+        initial=12,
+    )
+    session_expiration_unit = forms.ChoiceField(
+        label=_('Unit'),
+        choices=[('hours', _('Hour(s)')), ('days', _('Day(s)'))],
+        required=False,
+        initial='hours',
+    )
 
     class Meta:
         model = AuthMethod
@@ -185,6 +197,13 @@ class AuthMethodForm(forms.ModelForm):
 
         if self.instance and self.instance.pk:
             self.fields['auth_type'].disabled = True
+            exp_min = self.instance.session_expiration_minutes
+            if exp_min % 1440 == 0:
+                self.initial['session_expiration_value'] = exp_min // 1440
+                self.initial['session_expiration_unit'] = 'days'
+            else:
+                self.initial['session_expiration_value'] = max(1, round(exp_min / 60))
+                self.initial['session_expiration_unit'] = 'hours'
 
         self.helper = FormHelper()
         self.helper.layout = Layout(
@@ -207,6 +226,11 @@ class AuthMethodForm(forms.ModelForm):
                 Div('oidc_client_secret', css_class='col-xl-6'),
                 css_class='row oidc-group'
             ),
+            Div(
+                Div('session_expiration_value', css_class='col-xl-6'),
+                Div('session_expiration_unit', css_class='col-xl-6'),
+                css_class='row expiration-group'
+            ),
             Div(
                 Div(
                     Submit('submit', _('Save'), css_class='btn btn-primary'),
@@ -232,7 +256,7 @@ class AuthMethodForm(forms.ModelForm):
                 self.add_error('totp_pin', _('TOTP validation PIN must be empty for Local Password authentication.'))
             if oidc_provider or oidc_client_id or oidc_client_secret:
                 self.add_error(None, _('OIDC fields must be empty for Local Password authentication.'))
-            
+
             existing_local = AuthMethod.objects.filter(auth_type='local_password')
             if self.instance and self.instance.pk:
                 existing_local = existing_local.exclude(pk=self.instance.pk)
@@ -260,8 +284,24 @@ class AuthMethodForm(forms.ModelForm):
             if cleaned_data.get('totp_pin'):
                 self.add_error('totp_pin', _('TOTP validation PIN must be empty for OIDC authentication.'))
 
+        if auth_type in ('local_password', 'oidc'):
+            value = cleaned_data.get('session_expiration_value') or 12
+            unit = cleaned_data.get('session_expiration_unit') or 'hours'
+            if unit == 'days':
+                cleaned_data['_session_expiration_minutes'] = value * 1440
+            else:
+                cleaned_data['_session_expiration_minutes'] = value * 60
+
         return cleaned_data
 
+    def save(self, commit=True):
+        instance = super().save(commit=False)
+        if instance.auth_type in ('local_password', 'oidc'):
+            instance.session_expiration_minutes = self.cleaned_data.get('_session_expiration_minutes', 720)
+        if commit:
+            instance.save()
+        return instance
+
 class GatekeeperIPAddressForm(forms.ModelForm):
     class Meta:
         model = GatekeeperIPAddress