Fix admin session timeout

2022-11-21 20:43:51 +01:00 · 2022-11-21 20:43:51 +01:00 · 8475f5bccd
commit 8475f5bccd
--- a/app/admin.py
+++ b/app/admin.py
@ -30,6 +30,7 @@ from app.boxes import send_block
 from app.boxes import send_follow
 from app.boxes import send_unblock
 from app.config import EMOJIS
+from app.config import SESSION_TIMEOUT
 from app.config import generate_csrf_token
 from app.config import session_serializer
 from app.config import verify_csrf_token
@ -66,7 +67,7 @@ async def user_session_or_redirect(
        raise _RedirectToLoginPage

    try:
-        loaded_session = session_serializer.loads(session, max_age=3600 * 24 * 3)
+        loaded_session = session_serializer.loads(session, max_age=SESSION_TIMEOUT)
    except Exception:
        logger.exception("Failed to validate admin session")
        raise _RedirectToLoginPage
--- a/app/config.py
+++ b/app/config.py
@ -116,6 +116,8 @@ class Config(pydantic.BaseModel):
    sqlalchemy_database: str | None = None
    key_path: str | None = None

+    session_timeout: int = 3600 * 24 * 3  # in seconds, 3 days by default
+
    # Only set when the app is served on a non-root path
    id: str | None = None

@ -171,6 +173,7 @@ ALSO_KNOWN_AS = CONFIG.also_known_as
 CUSTOM_CONTENT_SECURITY_POLICY = CONFIG.custom_content_security_policy

 INBOX_RETENTION_DAYS = CONFIG.inbox_retention_days
+SESSION_TIMEOUT = CONFIG.session_timeout
 CUSTOM_FOOTER = (
    markdown(CONFIG.custom_footer.replace("{version}", VERSION))
    if CONFIG.custom_footer
--- a/app/templates.py
+++ b/app/templates.py
@ -27,6 +27,7 @@ from app.ap_object import Object
 from app.config import BASE_URL
 from app.config import CUSTOM_FOOTER
 from app.config import DEBUG
+from app.config import SESSION_TIMEOUT
 from app.config import VERSION
 from app.config import generate_csrf_token
 from app.config import session_serializer
@ -69,10 +70,10 @@ def is_current_user_admin(request: Request) -> bool:
        try:
            loaded_session = session_serializer.loads(
                session_cookie,
-                max_age=3600 * 12,
+                max_age=SESSION_TIMEOUT,
            )
        except Exception:
-            pass
+            logger.exception("Failed to validate session timeout")
        else:
            is_admin = loaded_session.get("is_logged_in")