From f507a26b9d80a26ef625ab6f4106866238b53d0b Mon Sep 17 00:00:00 2001
From: blallo <blallo@autistici.org>
Date: Thu, 5 Sep 2019 17:57:40 +0200
Subject: [PATCH] Add max_age for short-lived session.

---
 api/app.py  | 10 +++++++---
 api/conf.py |  6 ++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/api/app.py b/api/app.py
index 7db7e18..589c8c8 100644
--- a/api/app.py
+++ b/api/app.py
@@ -39,12 +39,16 @@ def init_secret() -> bytes:
     return base64.urlsafe_b64decode(fernet_key)
 
 
-def setup_session(app: web.Application, secure: bool):
+def setup_session(app: web.Application, secure: bool, max_age: int):
     secret = init_secret()
     setup(
         app,
         EncryptedCookieStorage(
-            secret_key=secret, cookie_name="BOTZ_SESSION", httponly=False, secure=secure
+            secret_key=secret,
+            cookie_name="BOTZ_SESSION",
+            httponly=False,
+            secure=secure,
+            max_age=max_age,
         ),
     )
 
@@ -69,7 +73,7 @@ def run(
     app["headless"] = conf["headless"]
     if conf["http"].get("cors_allow"):
         app.on_response_prepare.append(on_prepare_cors)
-    setup_session(app, conf["http"]["cookie_secure"])
+    setup_session(app, conf["http"]["cookie_secure"], conf["http"]["session_timeout"])
     add_static_routes(alog)
     app.add_routes(routes)
     addr = []
diff --git a/api/conf.py b/api/conf.py
index 497771c..ca778ff 100644
--- a/api/conf.py
+++ b/api/conf.py
@@ -24,6 +24,7 @@ def read_conf(path: T.Optional[T.Text]) -> T.Dict:
         port: <int, the port to bind to>
         cookie_name: <defaults to BOTZ_SESSION>
         cookie_secure: <bool, whether to set Secure cookie flag, defaults to true>
+        session_timeout: <int, the expiration time of the session ins secs, defaults to 300>
         cors_allow: <an optional single allowed Cross Origin domain>
     """
     if path is None:
@@ -90,4 +91,9 @@ def validate_http_log(conf: T.Dict[T.Text, T.Any]) -> T.Dict[T.Text, T.Any]:
         conf["http"]["cookie_name"] = "BOTZ_SESSION"
     if conf["http"].get("cookie_secure") is None:
         conf["http"]["cookie_secure"] = True
+    if conf["http"].get("session_timeout") is None:
+        conf["http"]["session_timeout"] = 300
+    elif isinstance(conf["http"]["session_timeout"], str):
+        conf["http"]["session_timeout"] = int(conf["http"]["session_timeout"])
+
     return conf