From 4d85b23e8ac0a6e80e7c76e167bf8043d0836cba Mon Sep 17 00:00:00 2001 From: Aaron L Date: Sat, 30 Mar 2019 15:56:13 -0700 Subject: [PATCH] Fix missing lastaction on login - Add Setup() function for expire to install a hook to set last action on successful login. If Setup() is not called, expiration starts from the first request made by the logged in user after the login request itself. --- CHANGELOG.md | 4 +++- README.md | 3 +++ expire/expire.go | 13 +++++++++++++ expire/expire_test.go | 25 +++++++++++++++++++++++++ 4 files changed, 44 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c02f13..0950f7a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). -## [Unreleased] +## [2.3.0] - 2019-03-30 ### Added @@ -20,6 +20,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Fixed +- Fix bug where user's expiration time did not start until their first + request after login. - Fix bug where expired users could perform one request past their expiration - Fix bug with missing imports (thanks @frederikhors) - Fix bug with inverted remember me checkbox logic diff --git a/README.md b/README.md index ef62b21..ac21f68 100644 --- a/README.md +++ b/README.md @@ -593,6 +593,9 @@ User | [User](https://godoc.org/github.com/volatiletech/authboss/#User) Values | _None_ Mailer | _None_ +**Note:** Unlike most modules in Authboss you must call `expire.Setup()` +to enable this module. See the sample to see how to do this. This may be changed in the future. + Expire simply uses sessions to track when the last action of a user is, if that action is longer than configured then the session is deleted and the user removed from the request context. diff --git a/expire/expire.go b/expire/expire.go index 6873ccf..93cc7d2 100644 --- a/expire/expire.go +++ b/expire/expire.go @@ -11,6 +11,19 @@ import ( var nowTime = time.Now +// Setup the expire module +// +// This installs a hook into the login process so that the +// LastAction is recorded immediately. +func Setup(ab *authboss.Authboss) error { + ab.Events.After(authboss.EventAuth, func(w http.ResponseWriter, r *http.Request, handled bool) (bool, error) { + refreshExpiry(w) + return false, nil + }) + + return nil +} + // TimeToExpiry returns zero if the user session is expired else the time // until expiry. Takes in the allowed idle duration. func TimeToExpiry(r *http.Request, expireAfter time.Duration) time.Duration { diff --git a/expire/expire_test.go b/expire/expire_test.go index 539e9f5..a78d887 100644 --- a/expire/expire_test.go +++ b/expire/expire_test.go @@ -11,6 +11,31 @@ import ( "github.com/volatiletech/authboss/mocks" ) +func TestExpireSetup(t *testing.T) { + ab := authboss.New() + + clientRW := mocks.NewClientRW() + ab.Storage.SessionState = clientRW + + Setup(ab) + + w := httptest.NewRecorder() + wr := ab.NewResponse(w) + + handled, err := ab.Events.FireAfter(authboss.EventAuth, wr, nil) + if handled { + t.Error("it should not handle the event") + } + if err != nil { + t.Error(err) + } + + wr.WriteHeader(http.StatusOK) + if _, ok := clientRW.ClientValues[authboss.SessionLastAction]; !ok { + t.Error("last action should have been set") + } +} + func TestExpireIsExpired(t *testing.T) { ab := authboss.New()