Make OpenID sessions expire after one week

Cargo.toml

@@ -8,38 +8,35 @@ edition = "2024"
 [dependencies]
 actix = "0.13.5"
 actix-identity = "0.9.0"
-actix-web = "4.12.1"
+actix-web = "4.13.0"
 actix-session = { version = "0.11.0", features = ["cookie-session", "redis-session"] }
 actix-remote-ip = "0.1.0"
-clap = { version = "4.5.59", features = ["derive", "env"] }
+clap = { version = "4.5.60", features = ["derive", "env"] }
 include_dir = "0.7.4"
 log = "0.4.29"
 serde_json = "1.0.149"
-serde_yaml = "0.9.34"
+serde_yml = "0.0.12"
-env_logger = "0.11.8"
+env_logger = "0.11.9"
 serde = { version = "1.0.228", features = ["derive"] }
 bcrypt = "0.18.0"
-uuid = { version = "1.20.0", features = ["v4"] }
+uuid = { version = "1.21.0", features = ["v4"] }
 mime_guess = "2.0.5"
 askama = "0.15.4"
 urlencoding = "2.1.3"
-rand = "0.9.0"
+rand = "0.10.0"
 base64 = "0.22.1"
 jwt-simple = { version = "0.12.14", default-features = false, features = ["pure-rust"] }
-digest = "0.11.0"
+sha2 = "0.11.0-rc.5"
-sha2 = "0.11.0-rc.4"
+lazy-regex = "3.6.0"
-lazy-regex = "3.5.1"
 totp_rfc6238 = "0.6.1"
 base32 = "0.5.1"
 qrcode-generator = "5.0.0"
 webauthn-rs = { version = "0.5.4", features = ["danger-allow-state-serialisation"] }
 url = "2.5.8"
 light-openid = { version = "1.1.0", features = ["crypto-wrapper"] }
-rkyv = "0.8.14"
+rkyv = "0.8.15"
 chrono = "0.4.43"
-lazy_static = "1.5.0"
 mailchecker = "6.0.19"
 httpdate = "1.0.3"
 build-time = "0.1.3"
 hex = "0.4.3"
-anyhow = "1.0.101"

src/actors/openid_sessions_actor.rs

@@ -17,17 +17,20 @@ pub struct SessionID(pub String);
 
 #[derive(Clone, Debug)]
 pub struct Session {
-    pub session_id: SessionID,
     pub client: ClientID,
     pub user: UserID,
     pub auth_time: u64,
     pub redirect_uri: String,
 
+    pub session_id: SessionID,
+    pub session_expire_at: u64,
+
     pub authorization_code: String,
     pub authorization_code_expire_at: u64,
 
     pub access_token: Option<String>,
     pub access_token_expire_at: u64,
+
     pub refresh_token: String,
     pub refresh_token_expire_at: u64,
 
@@ -37,9 +40,10 @@ pub struct Session {
 
 impl Session {
     pub fn is_expired(&self) -> bool {
-        self.authorization_code_expire_at < time()
+        self.session_expire_at < time()
+            || (self.authorization_code_expire_at < time()
                 && self.access_token_expire_at < time()
-            && self.refresh_token_expire_at < time()
+                && self.refresh_token_expire_at < time())
     }
 
     pub fn regenerate_access_and_refresh_tokens(

src/constants.rs

@@ -64,7 +64,8 @@ pub const USERINFO_URI: &str = "/openid/userinfo";
 
 /// Open ID constants
 pub const OPEN_ID_SESSION_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);
-pub const OPEN_ID_SESSION_LEN: usize = 40;
+pub const OPEN_ID_SESSION_ID_LEN: usize = 40;
+pub const OPEN_ID_SESSION_MAX_DURATION: Duration = Duration::from_secs(3600 * 24 * 7);
 pub const OPEN_ID_AUTHORIZATION_CODE_LEN: usize = 120;
 pub const OPEN_ID_AUTHORIZATION_CODE_TIMEOUT: u64 = 300;
 pub const OPEN_ID_ACCESS_TOKEN_LEN: usize = 50;

src/controllers/openid_controller.rs

@@ -219,11 +219,12 @@ pub async fn authorize(
         (_, "code") => {
             // Save all authentication information in memory
             let session = Session {
-                session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
                 client: client.id.clone(),
                 user: user.uid.clone(),
                 auth_time: SessionIdentity(Some(&id)).auth_time(),
                 redirect_uri,
+                session_id: SessionID(rand_str(OPEN_ID_SESSION_ID_LEN)),
+                session_expire_at: time() + OPEN_ID_SESSION_MAX_DURATION.as_secs(),
                 authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
                 authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
                 access_token: None,

src/data/app_config.rs

@@ -1,6 +1,6 @@
-use std::path::{Path, PathBuf};
-
 use clap::Parser;
+use std::path::{Path, PathBuf};
+use std::sync::OnceLock;
 
 use crate::constants::{
     APP_NAME, CLIENTS_LIST_FILE, OIDC_PROVIDER_CB_URI, PROVIDERS_LIST_FILE, USERS_LIST_FILE,
@@ -93,8 +93,12 @@ pub struct AppConfig {
     redis_password: String,
 }
 
-lazy_static::lazy_static! {
+static ARGS: OnceLock<AppConfig> = OnceLock::new();
-    static ref ARGS: AppConfig = {
+
+impl AppConfig {
+    /// Get parsed command line arguments
+    pub fn get() -> &'static AppConfig {
+        ARGS.get_or_init(|| {
             let mut config = AppConfig::parse();
 
             // In debug mode only, use dummy token
@@ -103,13 +107,7 @@ lazy_static::lazy_static! {
             }
 
             config
-    };
+        })
-}
-
-impl AppConfig {
-    /// Get parsed command line arguments
-    pub fn get() -> &'static AppConfig {
-        &ARGS
     }
 
     pub fn secure_cookie(&self) -> bool {

src/data/entity_manager.rs

@@ -36,7 +36,7 @@ where
             file_path: path.as_ref().to_path_buf(),
             list: match Self::file_format(path.as_ref()) {
                 FileFormat::Json => serde_json::from_str(&file_content)?,
-                FileFormat::Yaml => serde_yaml::from_str(&file_content)?,
+                FileFormat::Yaml => serde_yml::from_str(&file_content)?,
             },
         })
     }
@@ -47,7 +47,7 @@ where
             &self.file_path,
             match Self::file_format(self.file_path.as_ref()) {
                 FileFormat::Json => serde_json::to_string(&self.list)?,
-                FileFormat::Yaml => serde_yaml::to_string(&self.list)?,
+                FileFormat::Yaml => serde_yml::to_string(&self.list)?,
             },
         )?)
     }

src/data/totp_key.rs

@@ -1,5 +1,5 @@
 use base32::Alphabet;
-use rand::Rng;
+use rand::RngExt;
 use totp_rfc6238::{HashAlgorithm, TotpGenerator};
 
 use crate::data::app_config::AppConfig;

src/utils/crypt_utils.rs

@@ -1,4 +1,4 @@
-use digest::Digest;
+use sha2::Digest;
 
 #[inline]
 pub fn sha256(input: &[u8]) -> Vec<u8> {