Make OpenID sessions expire after one week

Cargo.lock

@@ -876,9 +876,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.59"
+version = "4.5.60"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c5caf74d17c3aec5495110c34cc3f78644bfa89af6c8993ed4de2790e49b6499"
+checksum = "2797f34da339ce31042b27d23607e051786132987f595b02ba4f6a6dffb7030a"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -886,9 +886,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.59"
+version = "4.5.60"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "370daa45065b80218950227371916a1633217ae42b2715b2287b606dcd618e24"
+checksum = "24a241312cea5059b13574bb9b3861cabf758b879c15190b37b6d6fd63ab6876"
 dependencies = [
  "anstream",
  "anstyle",

Cargo.toml

@@ -11,7 +11,7 @@ actix-identity = "0.9.0"
 actix-web = "4.13.0"
 actix-session = { version = "0.11.0", features = ["cookie-session", "redis-session"] }
 actix-remote-ip = "0.1.0"
-clap = { version = "4.5.59", features = ["derive", "env"] }
+clap = { version = "4.5.60", features = ["derive", "env"] }
 include_dir = "0.7.4"
 log = "0.4.29"
 serde_json = "1.0.149"

src/actors/openid_sessions_actor.rs

@@ -17,17 +17,20 @@ pub struct SessionID(pub String);
 
 #[derive(Clone, Debug)]
 pub struct Session {
-    pub session_id: SessionID,
     pub client: ClientID,
     pub user: UserID,
     pub auth_time: u64,
     pub redirect_uri: String,
 
+    pub session_id: SessionID,
+    pub session_expire_at: u64,
+
     pub authorization_code: String,
     pub authorization_code_expire_at: u64,
 
     pub access_token: Option<String>,
     pub access_token_expire_at: u64,
+
     pub refresh_token: String,
     pub refresh_token_expire_at: u64,
 
@@ -37,9 +40,10 @@ pub struct Session {
 
 impl Session {
     pub fn is_expired(&self) -> bool {
-        self.authorization_code_expire_at < time()
+        self.session_expire_at < time()
-            && self.access_token_expire_at < time()
+            || (self.authorization_code_expire_at < time()
-            && self.refresh_token_expire_at < time()
+                && self.access_token_expire_at < time()
+                && self.refresh_token_expire_at < time())
     }
 
     pub fn regenerate_access_and_refresh_tokens(

src/constants.rs

@@ -64,7 +64,8 @@ pub const USERINFO_URI: &str = "/openid/userinfo";
 
 /// Open ID constants
 pub const OPEN_ID_SESSION_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);
-pub const OPEN_ID_SESSION_LEN: usize = 40;
+pub const OPEN_ID_SESSION_ID_LEN: usize = 40;
+pub const OPEN_ID_SESSION_MAX_DURATION: Duration = Duration::from_secs(3600 * 24 * 7);
 pub const OPEN_ID_AUTHORIZATION_CODE_LEN: usize = 120;
 pub const OPEN_ID_AUTHORIZATION_CODE_TIMEOUT: u64 = 300;
 pub const OPEN_ID_ACCESS_TOKEN_LEN: usize = 50;

src/controllers/openid_controller.rs

@@ -219,11 +219,12 @@ pub async fn authorize(
         (_, "code") => {
             // Save all authentication information in memory
             let session = Session {
-                session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
                 client: client.id.clone(),
                 user: user.uid.clone(),
                 auth_time: SessionIdentity(Some(&id)).auth_time(),
                 redirect_uri,
+                session_id: SessionID(rand_str(OPEN_ID_SESSION_ID_LEN)),
+                session_expire_at: time() + OPEN_ID_SESSION_MAX_DURATION.as_secs(),
                 authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
                 authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
                 access_token: None,