X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fauthenticator.js;h=0c0c349b7288af20f0fc7df421c91aeddd61a3dc;hb=5b90f0a97b1f49b19d395ffe2cf14dda12d87fc9;hp=1cff2108f309e2ac51245070281e0ec346f6168c;hpb=c13db4d55a8cf25c109dfcbb88a2d7828b791147;p=squeep-authentication-module diff --git a/lib/authenticator.js b/lib/authenticator.js index 1cff210..0c0c349 100644 --- a/lib/authenticator.js +++ b/lib/authenticator.js @@ -20,6 +20,7 @@ class Authenticator { * @param {Boolean} options.authenticator.secureAuthOnly * @param {String[]} options.authenticator.forbiddenPAMIdentifiers * @param {String[]} options.authenticator.authnEnabled + * @param {Number=} options.authenticator.inactiveSessionLifespanSeconds * @param {String[]=} options.authenticator.loginBlurb * @param {String[]=} options.authenticator.indieAuthBlurb * @param {String[]=} options.authenticator.userBlurb @@ -51,6 +52,8 @@ class Authenticator { } this.mysteryBox = new MysteryBox(logger, options); + + this.cookieLifespan = options.authenticator.inactiveSessionLifespanSeconds || 60 * 60 * 24 * 32; } @@ -259,6 +262,18 @@ class Authenticator { && (ctx.session.authenticatedIdentifier || (profilesAllowed && ctx.session.authenticatedProfile))) { this.logger.debug(_scope, 'valid session cookie', { ctx }); + // Refresh timeout on valid session. + const cookieParts = [ + sessionCookie, + 'HttpOnly', + `Max-Age=${this.cookieLifespan}`, + 'SameSite=Lax', + `Path=${this.options.dingus.proxyPrefix}/`, + ]; + if (this.options.authenticator.secureAuthOnly) { + cookieParts.push('Secure'); + } + res.setHeader(Enum.Header.SetCookie, cookieParts.join('; ')); return true; } @@ -268,6 +283,7 @@ class Authenticator { `${Enum.SessionCookie}=""`, 'HttpOnly', 'Max-Age=0', + 'SameSite=Lax', `Path=${this.options.dingus.proxyPrefix}/`, ]; if (this.options.authenticator.secureAuthOnly) { @@ -371,4 +387,4 @@ class Authenticator { } -module.exports = Authenticator; \ No newline at end of file +module.exports = Authenticator;