Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sessions (actually) expire #8

Closed
mikker opened this issue Dec 27, 2017 · 5 comments
Closed

Make sessions (actually) expire #8

mikker opened this issue Dec 27, 2017 · 5 comments

Comments

@mikker
Copy link
Owner

mikker commented Dec 27, 2017

Sessions don't expire right now. They get expires_at set to a year in the future but we don't really use that anywhere. It's meant to make the cookies expire at some point, forcing the user to sign in again. Probably a good idea.

(NB: Expiry is different than timeout. Timeout is sign in using this token before. Expiry is sign user out automatically after)

Now, we could do this by setting an expiry on the cookie itself. But I'm not sure. I think I'd like to check it programmatically, so we can alert the user of the reason they need to sign in again, e.g Your session has expired, please sign in again. I think the best place to do this for now is in the sessions controller.
@mikker mikker mentioned this issue Dec 27, 2017
Closed
@mftaff
Copy link
Contributor

mftaff commented Dec 27, 2017

Sure! I am keen to work on this.

@mftaff
Copy link
Contributor

mftaff commented Dec 31, 2017

Hear are my thoughts so far:

in sessions_controller.rb

...
def show
     ...
      session = find_session
      sign_in session.authenticatable
    ...
end
...
private
...
def find_session
    Session.valid.find_by!(
      authenticatable_type: authenticatable_classname,
      token: params[:token]
    )
end
...

In find_session you used .valid to scope to sessions that are not timed-out or expired. We probably want to remove that scope, (or at least remove the expires_at part of it.) in order that we can run a manual check for expires_at after finding a session? I think the solution could look something like this:

...
def show
     ...
      session = find_session
      sign_in session.authenticatable unless session_expired session
    ...
end
...
private
...
def find_session
    Session.valid.find_by!(
      authenticatable_type: authenticatable_classname,
      token: params[:token]
    )
end

def session_expired(session)
    if session.expires_at > Time.current
         false # i.e the session hasn't expired.
    else
        # add message saying session expired. using flash?
        true # i.e the session has expired.
    end
end
...

What do you think? Is this what you had in mind?

@mftaff
Copy link
Contributor

mftaff commented Jan 14, 2018

@mikker hey man, hope the new year is going well :-) I am curious if you had a chance to look this over? Do you want me to submit a PR?

@mikker
Copy link
Owner Author

mikker commented Jan 14, 2018

Yes, sorry, thanks! A PR is very welcome. Good thoughts so far. I have a few suggestions but the best way forward is maybe you getting as far as you can and then we work our way to the finish line together, bit by bit?

@mftaff mftaff mentioned this issue Jan 14, 2018
Merged
@mikker
Copy link
Owner Author

mikker commented Jan 16, 2018

Fixed in #10

@mikker mikker closed this as completed Jan 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikker @mftaff