authboss/expire.go

package authboss

import (
	"net/http"
	"time"
)

var nowTime = time.Now

// TimeToExpiry returns zero if the user session is expired else the time until expiry.
func (a *Authboss) TimeToExpiry(w http.ResponseWriter, r *http.Request) time.Duration {
	//TODO(aarondl): Rewrite this so it makes sense with new ClientStorer idioms
	//return a.timeToExpiry(state.(ClientState))
	return 0
}

func (a *Authboss) timeToExpiry(session ClientState) time.Duration {
	dateStr, ok := session.Get(SessionLastAction)
	if !ok {
		return a.ExpireAfter
	}

	date, err := time.Parse(time.RFC3339, dateStr)
	if err != nil {
		panic("last_action is not a valid RFC3339 date")
	}

	remaining := date.Add(a.ExpireAfter).Sub(nowTime().UTC())
	if remaining > 0 {
		return remaining
	}

	return 0
}

// RefreshExpiry  updates the last action for the user, so he doesn't become expired.
func (a *Authboss) RefreshExpiry(w http.ResponseWriter, r *http.Request) {
	//TODO(aarondl): Fix
	//a.refreshExpiry(session)
}

func (a *Authboss) refreshExpiry(session ClientState) {
	//TODO(aarondl): Fix
	PutSession(nil, SessionLastAction, nowTime().UTC().Format(time.RFC3339))
}

type expireMiddleware struct {
	ab   *Authboss
	next http.Handler
}

// ExpireMiddleware ensures that the user's expiry information is kept up-to-date
// on each request. Deletes the SessionKey from the session if the user is
// expired (a.ExpireAfter duration since SessionLastAction).
// This middleware conflicts with use of the Remember module, don't enable both
// at the same time.
func (a *Authboss) ExpireMiddleware(next http.Handler) http.Handler {
	return expireMiddleware{a, next}
}

// ServeHTTP removes the session if it's passed the expire time.
func (m expireMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	//TODO(aarondl): Fix
	/*
		if _, ok := GetSession(r, SessionKey); ok {
			ttl := m.ab.timeToExpiry(session)
			if ttl == 0 {
				session.Del(SessionKey)
				session.Del(SessionLastAction)
			} else {
				m.ab.refreshExpiry(session)
			}
		}

		m.next.ServeHTTP(w, r)*/
}
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`package authboss`

			`import (`
			`"net/http"`
			`"time"`
			`)`

			`var nowTime = time.Now`

			`// TimeToExpiry returns zero if the user session is expired else the time until expiry.`
Stop reliance on global scope. - This change was necessary because multi-tenancy sites could not use authboss properly. 2015-03-31 12:34:03 -07:00			`func (a Authboss) TimeToExpiry(w http.ResponseWriter, r http.Request) time.Duration {`
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers. 2017-02-24 16:45:47 -08:00			`//TODO(aarondl): Rewrite this so it makes sense with new ClientStorer idioms`
			`//return a.timeToExpiry(state.(ClientState))`
			`return 0`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`}`

Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers. 2017-02-24 16:45:47 -08:00			`func (a *Authboss) timeToExpiry(session ClientState) time.Duration {`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`dateStr, ok := session.Get(SessionLastAction)`
			`if !ok {`
Stop reliance on global scope. - This change was necessary because multi-tenancy sites could not use authboss properly. 2015-03-31 12:34:03 -07:00			`return a.ExpireAfter`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`}`

			`date, err := time.Parse(time.RFC3339, dateStr)`
			`if err != nil {`
			`panic("last_action is not a valid RFC3339 date")`
			`}`

Stop reliance on global scope. - This change was necessary because multi-tenancy sites could not use authboss properly. 2015-03-31 12:34:03 -07:00			`remaining := date.Add(a.ExpireAfter).Sub(nowTime().UTC())`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`if remaining > 0 {`
			`return remaining`
			`}`

			`return 0`
			`}`

			`// RefreshExpiry updates the last action for the user, so he doesn't become expired.`
Stop reliance on global scope. - This change was necessary because multi-tenancy sites could not use authboss properly. 2015-03-31 12:34:03 -07:00			`func (a Authboss) RefreshExpiry(w http.ResponseWriter, r http.Request) {`
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers. 2017-02-24 16:45:47 -08:00			`//TODO(aarondl): Fix`
			`//a.refreshExpiry(session)`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`}`

Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers. 2017-02-24 16:45:47 -08:00			`func (a *Authboss) refreshExpiry(session ClientState) {`
			`//TODO(aarondl): Fix`
			`PutSession(nil, SessionLastAction, nowTime().UTC().Format(time.RFC3339))`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`}`

			`type expireMiddleware struct {`
Stop reliance on global scope. - This change was necessary because multi-tenancy sites could not use authboss properly. 2015-03-31 12:34:03 -07:00			`ab *Authboss`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`next http.Handler`
			`}`

			`// ExpireMiddleware ensures that the user's expiry information is kept up-to-date`
			`// on each request. Deletes the SessionKey from the session if the user is`
Stop reliance on global scope. - This change was necessary because multi-tenancy sites could not use authboss properly. 2015-03-31 12:34:03 -07:00			`// expired (a.ExpireAfter duration since SessionLastAction).`
Add redirection on pages when logged in. - Stop logged in users from accessing pages like auth/recover etc. - Ensure that half-authed users are allowed access to auth-like pages. - Make sure that if users have a remember token, it's processed before we decide if a user is logged in or not, preventing or granting access to these pages. - Fix #58 2015-04-10 22:23:54 -07:00			`// This middleware conflicts with use of the Remember module, don't enable both`
			`// at the same time.`
Stop reliance on global scope. - This change was necessary because multi-tenancy sites could not use authboss properly. 2015-03-31 12:34:03 -07:00			`func (a *Authboss) ExpireMiddleware(next http.Handler) http.Handler {`
			`return expireMiddleware{a, next}`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`}`

Add redirection on pages when logged in. - Stop logged in users from accessing pages like auth/recover etc. - Ensure that half-authed users are allowed access to auth-like pages. - Make sure that if users have a remember token, it's processed before we decide if a user is logged in or not, preventing or granting access to these pages. - Fix #58 2015-04-10 22:23:54 -07:00			`// ServeHTTP removes the session if it's passed the expire time.`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`func (m expireMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {`
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers. 2017-02-24 16:45:47 -08:00			`//TODO(aarondl): Fix`
			`/*`
			`if _, ok := GetSession(r, SessionKey); ok {`
			`ttl := m.ab.timeToExpiry(session)`
			`if ttl == 0 {`
			`session.Del(SessionKey)`
			`session.Del(SessionLastAction)`
			`} else {`
			`m.ab.refreshExpiry(session)`
			`}`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`}`

Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers. 2017-02-24 16:45:47 -08:00			`m.next.ServeHTTP(w, r)*/`
WIP fixing expiry 2015-03-02 08:04:31 -08:00			`}`