Skip to content

Commit

Permalink
Don't log users out so frequently
Browse files Browse the repository at this point in the history
Fixes #8949. We agreed on logging
inactive users out after three months and active users after one year,
Slack thread:

https://hypothes-is.slack.com/archives/C4K6M7P5E/p1726753077108739?thread_ts=1726473609.158389&cid=C4K6M7P5E
  • Loading branch information
seanh committed Sep 19, 2024
1 parent 6bc20d2 commit a01d64c
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 8 deletions.
6 changes: 4 additions & 2 deletions h/security/policy/top_level.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
from datetime import timedelta

import webob
from pyramid.request import RequestLocalCache
from pyramid.security import Allowed, Denied
Expand All @@ -10,7 +12,7 @@
from h.security.policy._cookie import CookiePolicy
from h.security.policy.helpers import AuthTicketCookieHelper, is_api_request

HTML_AUTHCOOKIE_MAX_AGE = 30 * 24 * 3600 # 30 days.
HTML_AUTHCOOKIE_MAX_AGE = int(timedelta(days=365).total_seconds())


class TopLevelPolicy:
Expand Down Expand Up @@ -55,7 +57,7 @@ def get_subpolicy(request):
# Make the API authcookie stay fresh for longer than the HTML one.
# This is to make it less likely that a browser will have an unexpired HTML
# authcookie but an expired API one, which can lead to confusing results.
max_age=HTML_AUTHCOOKIE_MAX_AGE + 3600,
max_age=HTML_AUTHCOOKIE_MAX_AGE + int(timedelta(hours=1).total_seconds()),
)
api_authcookie = api_authcookie.bind(request)

Expand Down
2 changes: 1 addition & 1 deletion h/services/auth_ticket.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@


class AuthTicketService:
TICKET_TTL = timedelta(days=7)
TICKET_TTL = timedelta(days=90)

# We only want to update the `expires` column when the tickets `expires` is
# at least one minute smaller than the potential new value. This prevents
Expand Down
3 changes: 2 additions & 1 deletion h/session.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
from datetime import timedelta
from urllib.parse import urlparse

from pyramid.csrf import SessionCSRFStoragePolicy
Expand Down Expand Up @@ -126,7 +127,7 @@ def includeme(config): # pragma: no cover
#
# To avoid this we make sure that the lifetime of CSRF tokens is always
# longer than the lifetimes of auth cookies.
timeout=HTML_AUTHCOOKIE_MAX_AGE + 3600,
timeout=HTML_AUTHCOOKIE_MAX_AGE + int(timedelta(hours=1).total_seconds()),
)
config.set_session_factory(factory)
config.set_csrf_storage_policy(SessionCSRFStoragePolicy())
8 changes: 4 additions & 4 deletions tests/unit/h/security/policy/top_level_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ def test_api_request(
secret="test_h_api_auth_cookie_secret",
salt="test_h_api_auth_cookie_salt",
cookie_name="h_api_authcookie",
max_age=2595600,
max_age=31539600,
httponly=True,
secure=True,
samesite="strict",
Expand All @@ -99,7 +99,7 @@ def test_api_request(
secret="test_h_auth_cookie_secret",
salt="authsanity",
cookie_name="auth",
max_age=2592000,
max_age=31536000,
httponly=True,
secure=True,
),
Expand Down Expand Up @@ -147,7 +147,7 @@ def test_non_api_request(
secret="test_h_api_auth_cookie_secret",
salt="test_h_api_auth_cookie_salt",
cookie_name="h_api_authcookie",
max_age=2595600,
max_age=31539600,
httponly=True,
secure=True,
samesite="strict",
Expand All @@ -156,7 +156,7 @@ def test_non_api_request(
secret="test_h_auth_cookie_secret",
salt="authsanity",
cookie_name="auth",
max_age=2592000,
max_age=31536000,
httponly=True,
secure=True,
),
Expand Down

0 comments on commit a01d64c

Please sign in to comment.