FEATURE: configure session time via site setting for all the users (#4343)

2024-11-22 15:06:26 +08:00 · 2016-07-23 02:57:30 +05:30 · 2016-07-23 02:57:30 +05:30 · a9207dafa7
commit a9207dafa7
parent b2289d733f
8 changed files with 19 additions and 12 deletions
--- a/app/models/post.rb
+++ b/app/models/post.rb
@ -708,6 +708,7 @@ end
 # Indexes
 #
 #  idx_posts_created_at_topic_id            (created_at,topic_id)
+#  idx_posts_deleted_posts                  (topic_id,post_number)
 #  idx_posts_user_id_deleted_at             (user_id)
 #  index_posts_on_reply_to_post_number      (reply_to_post_number)
 #  index_posts_on_topic_id_and_post_number  (topic_id,post_number) UNIQUE
--- a/app/models/site_customization.rb
+++ b/app/models/site_customization.rb
@ -284,6 +284,7 @@ end
 #  mobile_header_baked     :text
 #  footer_baked            :text
 #  mobile_footer_baked     :text
+#  compiler_version        :integer          default(0), not null
 #
 # Indexes
 #
--- a/app/models/unsubscribe_key.rb
+++ b/app/models/unsubscribe_key.rb
@ -34,6 +34,7 @@ end
 #  updated_at           :datetime
 #  unsubscribe_key_type :string
 #  topic_id             :integer
+#  post_id              :integer
 #
 # Indexes
 #
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -1048,6 +1048,7 @@ end
 #  trust_level_locked      :boolean          default(FALSE), not null
 #  staged                  :boolean          default(FALSE), not null
 #  first_seen_at           :datetime
+#  auth_token_created_at   :datetime
 #
 # Indexes
 #
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -909,7 +909,7 @@ en:
    post_undo_action_window_mins: "Number of minutes users are allowed to undo recent actions on a post (like, flag, etc)."
    must_approve_users: "Staff must approve all new user accounts before they are allowed to access the site. WARNING: enabling this for a live site will revoke access for existing non-staff users!"
    pending_users_reminder_delay: "Notify moderators if new users have been waiting for approval for longer than this many hours. Set to -1 to disable notifications."
-    permanent_session_cookie: "Use a permanent cookie that persists after closing the browser. When disabling this, you may want to log out everyone programmatically."
+    maximum_session_age: "User will remain logged in for n hours."
    ga_tracking_code: "OBSOLETE: Google analytics (ga.js) tracking code code, eg: UA-12345678-9; see http://google.com/analytics"
    ga_domain_name: "OBSOLETE: Google analytics (ga.js) domain name, eg: mysite.com; see http://google.com/analytics"
    ga_universal_tracking_code: "Google Universal Analytics (analytics.js) tracking code code, eg: UA-12345678-9; see http://google.com/analytics"
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -304,7 +304,10 @@ login:
  pending_users_reminder_delay:
    min: -1
    default: 8
-  permanent_session_cookie: true
+  maximum_session_age:
+    default: 2160
+    min: 1
+    max: 175200

 users:
  min_username_length:
--- a/db/migrate/20160722071221_add_auth_token_created_at_to_users.rb
+++ b/db/migrate/20160722071221_add_auth_token_created_at_to_users.rb
@ -0,0 +1,5 @@
+class AddAuthTokenCreatedAtToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :auth_token_created_at, :datetime, null: true
+  end
+end
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -36,7 +36,7 @@ class Auth::DefaultCurrentUserProvider
    current_user = nil

    if auth_token && auth_token.length == 32
-      current_user = User.find_by(auth_token: auth_token)
+      current_user = User.where(auth_token: auth_token).where('auth_token_created_at IS NULL OR auth_token_created_at > ?', SiteSetting.maximum_session_age.hours.ago).first
    end

    if current_user && (current_user.suspended? || !current_user.active)
@ -62,15 +62,10 @@ class Auth::DefaultCurrentUserProvider
  end

  def log_on_user(user, session, cookies)
-    unless user.auth_token && user.auth_token.length == 32
-      user.auth_token = SecureRandom.hex(16)
-      user.save!
-    end
-    if SiteSetting.permanent_session_cookie
-      cookies.permanent[TOKEN_COOKIE] = { value: user.auth_token, httponly: true }
-    else
-      cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true }
-    end
+    user.auth_token = SecureRandom.hex(16)
+    user.auth_token_created_at = Time.zone.now
+    user.save!
+    cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }
    make_developer_admin(user)
    enable_bootstrap_mode(user)
    @env[CURRENT_USER_KEY] = user