From 8475f5bccd8ba48a1c91789160f6c0ddf129aafe Mon Sep 17 00:00:00 2001
From: Thomas Sileo <t@a4.io>
Date: Mon, 21 Nov 2022 20:43:51 +0100
Subject: [PATCH] Fix admin session timeout

---
 app/admin.py     | 3 ++-
 app/config.py    | 3 +++
 app/templates.py | 5 +++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/admin.py b/app/admin.py
index e837c46..17a06cb 100644
--- a/app/admin.py
+++ b/app/admin.py
@@ -30,6 +30,7 @@ from app.boxes import send_block
 from app.boxes import send_follow
 from app.boxes import send_unblock
 from app.config import EMOJIS
+from app.config import SESSION_TIMEOUT
 from app.config import generate_csrf_token
 from app.config import session_serializer
 from app.config import verify_csrf_token
@@ -66,7 +67,7 @@ async def user_session_or_redirect(
         raise _RedirectToLoginPage
 
     try:
-        loaded_session = session_serializer.loads(session, max_age=3600 * 24 * 3)
+        loaded_session = session_serializer.loads(session, max_age=SESSION_TIMEOUT)
     except Exception:
         logger.exception("Failed to validate admin session")
         raise _RedirectToLoginPage
diff --git a/app/config.py b/app/config.py
index 132030f..54bd4e1 100644
--- a/app/config.py
+++ b/app/config.py
@@ -116,6 +116,8 @@ class Config(pydantic.BaseModel):
     sqlalchemy_database: str | None = None
     key_path: str | None = None
 
+    session_timeout: int = 3600 * 24 * 3  # in seconds, 3 days by default
+
     # Only set when the app is served on a non-root path
     id: str | None = None
 
@@ -171,6 +173,7 @@ ALSO_KNOWN_AS = CONFIG.also_known_as
 CUSTOM_CONTENT_SECURITY_POLICY = CONFIG.custom_content_security_policy
 
 INBOX_RETENTION_DAYS = CONFIG.inbox_retention_days
+SESSION_TIMEOUT = CONFIG.session_timeout
 CUSTOM_FOOTER = (
     markdown(CONFIG.custom_footer.replace("{version}", VERSION))
     if CONFIG.custom_footer
diff --git a/app/templates.py b/app/templates.py
index e33c588..ea4fb26 100644
--- a/app/templates.py
+++ b/app/templates.py
@@ -27,6 +27,7 @@ from app.ap_object import Object
 from app.config import BASE_URL
 from app.config import CUSTOM_FOOTER
 from app.config import DEBUG
+from app.config import SESSION_TIMEOUT
 from app.config import VERSION
 from app.config import generate_csrf_token
 from app.config import session_serializer
@@ -69,10 +70,10 @@ def is_current_user_admin(request: Request) -> bool:
         try:
             loaded_session = session_serializer.loads(
                 session_cookie,
-                max_age=3600 * 12,
+                max_age=SESSION_TIMEOUT,
             )
         except Exception:
-            pass
+            logger.exception("Failed to validate session timeout")
         else:
             is_admin = loaded_session.get("is_logged_in")