feat: add session max lifetime and fix refresh logic (#559)

* feat: allow any HTTP method for /api/auth/envoy and restrict methods for non-envoy proxies * feat: add Allow header for invalid methods in proxyHandler * feat: add session max lifetime and fix refresh logic * fix: set default value for created_at column and improve session expiration logic --------- Co-authored-by: Stavros <steveiliop56@gmail.com>
2026-01-12 02:12:29 +00:00 · 2026-01-07 06:37:23 -05:00
parent 721f302c0b
commit e7bd64d7a3
16 changed files with 96 additions and 47 deletions
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -42,6 +42,10 @@ func NewBootstrapApp(config config.Config) *BootstrapApp {
 }

 func (app *BootstrapApp) Setup() error {
+	// validate session config
+	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
+		return fmt.Errorf("session max lifetime cannot be less than session expiry")
+	}
 	// Parse users
 	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile)

--- a/internal/bootstrap/db_bootstrap.go
+++ b/internal/bootstrap/db_bootstrap.go
@@ -27,6 +27,10 @@ func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
 		return nil, fmt.Errorf("failed to open database: %w", err)
 	}

+	// Limit to 1 connection to sequence writes, this may need to be revisited in the future
+	// if the sqlite connection starts being a bottleneck
+	db.SetMaxOpenConns(1)
+
 	migrations, err := iofs.New(assets.Migrations, "migrations")

 	if err != nil {
--- a/internal/bootstrap/service_bootstrap.go
+++ b/internal/bootstrap/service_bootstrap.go
@@ -58,14 +58,15 @@ func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, er
 	services.accessControlService = accessControlsService

 	authService := service.NewAuthService(service.AuthServiceConfig{
-		Users:             app.context.users,
-		OauthWhitelist:    app.config.OAuth.Whitelist,
-		SessionExpiry:     app.config.Auth.SessionExpiry,
-		SecureCookie:      app.config.Auth.SecureCookie,
-		CookieDomain:      app.context.cookieDomain,
-		LoginTimeout:      app.config.Auth.LoginTimeout,
-		LoginMaxRetries:   app.config.Auth.LoginMaxRetries,
-		SessionCookieName: app.context.sessionCookieName,
+		Users:              app.context.users,
+		OauthWhitelist:     app.config.OAuth.Whitelist,
+		SessionExpiry:      app.config.Auth.SessionExpiry,
+		SessionMaxLifetime: app.config.Auth.SessionMaxLifetime,
+		SecureCookie:       app.config.Auth.SecureCookie,
+		CookieDomain:       app.context.cookieDomain,
+		LoginTimeout:       app.config.Auth.LoginTimeout,
+		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
+		SessionCookieName:  app.context.sessionCookieName,
 	}, dockerService, ldapService, queries)

 	err = authService.Init()