- Add Setup() function for expire to install a hook to set last action
on successful login. If Setup() is not called, expiration starts from
the first request made by the logged in user after the login request
itself.
Users were able to persist one request past expiration because the
session state was not actually hidden for downstream http handlers as it
was in Authboss 1.0 because of the abstraction of ClientState where an
http handler cannot alter the session subsequent handlers.
There's a number of positive reasons for the design as is, but it did
end up creating this bug when this code was ported from v1 to v2.
In order to prevent leaking of session values (and to avoid the mess of
deleting the entire session cookie which could still have values we want
in it) this nuclear method is now called by expire/logout with a
whitelist of keys to keep (passed in from
Config.Storage.SessionWhitelistKeys).
- Make this change to make it a bit more chi/alice friendly
since this is typically the form of middlewares to be constructed
and then turn into a "middleware" function/type.
