add session expiration fields to auth method form and model

gatekeeper/forms.py

@@ -163,6 +163,18 @@ class AuthMethodForm(forms.ModelForm):
         required=False,
         help_text=_('Enter a 6-digit PIN generated by your authenticator app to validate the secret.')
     )
+    session_expiration_value = forms.IntegerField(
+        label=_('Session Expiration'),
+        min_value=1,
+        required=False,
+        initial=12,
+    )
+    session_expiration_unit = forms.ChoiceField(
+        label=_('Unit'),
+        choices=[('hours', _('Hour(s)')), ('days', _('Day(s)'))],
+        required=False,
+        initial='hours',
+    )
 
     class Meta:
         model = AuthMethod
@@ -185,6 +197,13 @@ class AuthMethodForm(forms.ModelForm):
 
         if self.instance and self.instance.pk:
             self.fields['auth_type'].disabled = True
+            exp_min = self.instance.session_expiration_minutes
+            if exp_min % 1440 == 0:
+                self.initial['session_expiration_value'] = exp_min // 1440
+                self.initial['session_expiration_unit'] = 'days'
+            else:
+                self.initial['session_expiration_value'] = max(1, round(exp_min / 60))
+                self.initial['session_expiration_unit'] = 'hours'
 
         self.helper = FormHelper()
         self.helper.layout = Layout(
@@ -207,6 +226,11 @@ class AuthMethodForm(forms.ModelForm):
                 Div('oidc_client_secret', css_class='col-xl-6'),
                 css_class='row oidc-group'
             ),
+            Div(
+                Div('session_expiration_value', css_class='col-xl-6'),
+                Div('session_expiration_unit', css_class='col-xl-6'),
+                css_class='row expiration-group'
+            ),
             Div(
                 Div(
                     Submit('submit', _('Save'), css_class='btn btn-primary'),
@@ -260,8 +284,24 @@ class AuthMethodForm(forms.ModelForm):
             if cleaned_data.get('totp_pin'):
                 self.add_error('totp_pin', _('TOTP validation PIN must be empty for OIDC authentication.'))
 
+        if auth_type in ('local_password', 'oidc'):
+            value = cleaned_data.get('session_expiration_value') or 12
+            unit = cleaned_data.get('session_expiration_unit') or 'hours'
+            if unit == 'days':
+                cleaned_data['_session_expiration_minutes'] = value * 1440
+            else:
+                cleaned_data['_session_expiration_minutes'] = value * 60
+
         return cleaned_data
 
+    def save(self, commit=True):
+        instance = super().save(commit=False)
+        if instance.auth_type in ('local_password', 'oidc'):
+            instance.session_expiration_minutes = self.cleaned_data.get('_session_expiration_minutes', 720)
+        if commit:
+            instance.save()
+        return instance
+
 class GatekeeperIPAddressForm(forms.ModelForm):
     class Meta:
         model = GatekeeperIPAddress

gatekeeper/migrations/0008_authmethod_session_expiration_minutes.py

@@ -0,0 +1,16 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('gatekeeper', '0007_remove_authmethod_totp_before_auth_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='authmethod',
+            name='session_expiration_minutes',
+            field=models.PositiveIntegerField(default=720, help_text='Session expiration time in minutes (only for Local Password and OIDC)'),
+        ),
+    ]

gatekeeper/migrations/0009_alter_authmethod_session_expiration_minutes.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.2.12 on 2026-03-15 20:44
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('gatekeeper', '0008_authmethod_session_expiration_minutes'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='authmethod',
+            name='session_expiration_minutes',
+            field=models.PositiveIntegerField(default=720, help_text='Session expiration time in minutes'),
+        ),
+    ]

gatekeeper/migrations/0010_alter_gatekeeperuser_email.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.2.12 on 2026-03-15 22:38
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('gatekeeper', '0009_alter_authmethod_session_expiration_minutes'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='gatekeeperuser',
+            name='email',
+            field=models.EmailField(blank=True, max_length=254),
+        ),
+    ]

gatekeeper/models.py

@@ -16,6 +16,12 @@ class AuthMethod(models.Model):
     # TOTP-specific fields
     totp_secret = models.CharField(max_length=255, blank=True, help_text=_("Shared/global TOTP secret key"))
 
+    # Session expiration (Local Password and OIDC only)
+    session_expiration_minutes = models.PositiveIntegerField(
+        default=720,
+        help_text=_("Session expiration time in minutes")
+    )
+
     # OIDC-specific fields
     oidc_provider = models.CharField(max_length=64, blank=True)
     oidc_client_id = models.CharField(max_length=255, blank=True)
@@ -64,7 +70,7 @@ class AuthMethodAllowedEmail(models.Model):
 
 class GatekeeperUser(models.Model):
     username = models.SlugField(max_length=64, unique=True)
-    email = models.EmailField(unique=True, blank=True)
+    email = models.EmailField(blank=True)
     password = models.CharField(blank=True, max_length=250, help_text=_("Password for local authentication (leave blank if not using)"))
     totp_secret = models.CharField(max_length=255, blank=True, help_text=_("Per-user TOTP secret key"))
 

gatekeeper/views.py

@@ -200,7 +200,7 @@ def view_manage_auth_method(request):
         <p>Users will authenticate using a standard username and password stored locally. Only one of this type can be created.</p>
         
         <h5>OIDC (OpenID Connect)</h5>
-        <p>Users will authenticate via an external identity provider (like Keycloak, Google, or Authelia). Requires Provider URL, Client ID, and Client Secret.</p>
+        <p>Users will authenticate via an external identity provider (like Keycloak or Google). Requires Provider URL, Client ID, and Client Secret.</p>
         
         <h5>TOTP (Time-Based One-Time Password)</h5>
         <p>Users will need to enter a rotating token from an authenticator app. If a user does not have a personal TOTP configured, the <strong>Global TOTP Secret</strong> will be used instead. </p>

templates/gatekeeper/gatekeeper_auth_method_form.html

@@ -41,18 +41,22 @@
     $(document).ready(function () {
         function toggleFields() {
             var authType = $('#id_auth_type').val();
-            if (authType === 'local_password' || authType === 'ip_address') {
+            if (authType === 'local_password') {
                 $('.totp-group').hide();
                 $('.oidc-group').hide();
+                $('.expiration-group').show();
             } else if (authType === 'totp') {
                 $('.totp-group').show();
                 $('.oidc-group').hide();
+                $('.expiration-group').hide();
             } else if (authType === 'oidc') {
                 $('.totp-group').hide();
                 $('.oidc-group').show();
+                $('.expiration-group').show();
             } else {
                 $('.totp-group').hide();
                 $('.oidc-group').hide();
+                $('.expiration-group').hide();
             }
         }