Fix missing lastaction on login

- Add Setup() function for expire to install a hook to set last action on successful login. If Setup() is not called, expiration starts from the first request made by the logged in user after the login request itself.
2025-02-13 13:58:38 +02:00 · 2019-03-30 15:56:13 -07:00 · 2019-03-30 15:56:13 -07:00 · 4d85b23e8a
commit 4d85b23e8a
parent 834bb1ba43
4 changed files with 44 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,7 +3,7 @@
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

-## [Unreleased]
+## [2.3.0] - 2019-03-30

 ### Added

@ -20,6 +20,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

 ### Fixed

+- Fix bug where user's expiration time did not start until their first
+  request after login.
 - Fix bug where expired users could perform one request past their expiration
 - Fix bug with missing imports (thanks @frederikhors)
 - Fix bug with inverted remember me checkbox logic
--- a/README.md
+++ b/README.md
@ -593,6 +593,9 @@ User          | [User](https://godoc.org/github.com/volatiletech/authboss/#User)
 Values        | _None_
 Mailer        | _None_

+**Note:** Unlike most modules in Authboss you must call `expire.Setup()`
+to enable this module. See the sample to see how to do this. This may be changed in the future.
+
 Expire simply uses sessions to track when the last action of a user is, if that action is longer
 than configured then the session is deleted and the user removed from the request context.

--- a/expire/expire.go
+++ b/expire/expire.go
@ -11,6 +11,19 @@ import (

 var nowTime = time.Now

+// Setup the expire module
+//
+// This installs a hook into the login process so that the
+// LastAction is recorded immediately.
+func Setup(ab *authboss.Authboss) error {
+	ab.Events.After(authboss.EventAuth, func(w http.ResponseWriter, r *http.Request, handled bool) (bool, error) {
+		refreshExpiry(w)
+		return false, nil
+	})
+
+	return nil
+}
+
 // TimeToExpiry returns zero if the user session is expired else the time
 // until expiry. Takes in the allowed idle duration.
 func TimeToExpiry(r *http.Request, expireAfter time.Duration) time.Duration {
--- a/expire/expire_test.go
+++ b/expire/expire_test.go
@ -11,6 +11,31 @@ import (
 	"github.com/volatiletech/authboss/mocks"
 )

+func TestExpireSetup(t *testing.T) {
+	ab := authboss.New()
+
+	clientRW := mocks.NewClientRW()
+	ab.Storage.SessionState = clientRW
+
+	Setup(ab)
+
+	w := httptest.NewRecorder()
+	wr := ab.NewResponse(w)
+
+	handled, err := ab.Events.FireAfter(authboss.EventAuth, wr, nil)
+	if handled {
+		t.Error("it should not handle the event")
+	}
+	if err != nil {
+		t.Error(err)
+	}
+
+	wr.WriteHeader(http.StatusOK)
+	if _, ok := clientRW.ClientValues[authboss.SessionLastAction]; !ok {
+		t.Error("last action should have been set")
+	}
+}
+
 func TestExpireIsExpired(t *testing.T) {
 	ab := authboss.New()