fix(auth): cookie expiry and renewal (#1527)

* fix(auth/web): logout when expired/invalid/no cookie is present * fix(auth/web): specify error message in invalid cookie * fix(auth/web): reset error boundary on login * fix(auth/web): fix onboarding * chore: code cleanup * fix(web): revert tanstack/router to 1.31.0 * refactor(web): remove react-error-boundary * feat(auth): refresh cookie when close to expiry * enhancement(web): specify defaultError message in HttpClient * fix(web): use absolute paths for router links (#1530) * chore(web): bump `@tanstack/react-router` to `1.31.6` * fix(web): settings routes * fix(web): filter routes * fix(web): remove unused ReleasesIndexRoute * chore(web): add documentation for HttpClient * chore(lint): remove unnecessary whitespace
2025-07-23 00:39:13 +00:00 · 2024-05-08 10:38:02 +02:00 · 2024-05-08 10:38:02 +02:00 · 8120c33f6b
commit 8120c33f6b
parent 3dab295387
19 changed files with 364 additions and 366 deletions
--- a/internal/http/auth.go
+++ b/internal/http/auth.go
@ -7,6 +7,7 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
+	"time"

 	"github.com/autobrr/autobrr/internal/domain"
 	"github.com/autobrr/autobrr/pkg/errors"
@ -82,6 +83,7 @@ func (h authHandler) login(w http.ResponseWriter, r *http.Request) {

 	// Set user as authenticated
 	session.Values["authenticated"] = true
+	session.Values["created"] = time.Now().Unix()

 	// Set cookie options
 	session.Options.HttpOnly = true
--- a/internal/http/middleware.go
+++ b/internal/http/middleware.go
@ -57,6 +57,27 @@ func (s Server) IsAuthenticated(next http.Handler) http.Handler {
 				return
 			}

+			if created, ok := session.Values["created"].(int64); ok {
+				// created is a unix timestamp MaxAge is in seconds
+				maxAge := time.Duration(session.Options.MaxAge) * time.Second
+				expires := time.Unix(created, 0).Add(maxAge)
+
+				if time.Until(expires) <= 7*24*time.Hour { // 7 days
+					s.log.Info().Msgf("Cookie is expiring in less than 7 days on %s - extending session", expires.Format("2006-01-02 15:04:05"))
+
+					session.Values["created"] = time.Now().Unix()
+
+					// Call session.Save as needed - since it writes a header (the Set-Cookie
+					// header), making sure you call it before writing out a body is important.
+					// https://github.com/gorilla/sessions/issues/178#issuecomment-447674812
+					if err := session.Save(r, w); err != nil {
+						s.log.Error().Err(err).Msgf("could not store session: %s", r.RemoteAddr)
+						http.Error(w, err.Error(), http.StatusInternalServerError)
+						return
+					}
+				}
+			}
+
 			ctx := context.WithValue(r.Context(), "session", session)
 			r = r.WithContext(ctx)
 		}