You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* feat(auth): absolute-timeout ceiling + slide-on-user-activity (AUTH-1 b+c)
Completes AUTH-1 (slice 1 was the client idle timer, #675).
(b) Absolute timeout is now a real hard ceiling. The cookie-refresh path used
to re-mint a session with a FRESH absolute window on the 7-day refresh token,
so the absolute timeout (default 12h) never bit. Carry the original login's
absolute deadline through the refresh-token lineage (migration 0047 adds
refresh_tokens.absolute_expires_at; stamped at login, copied unchanged on every
rotation). ConsumeRefreshToken refuses past the deadline (ErrRefreshSessionExpired
-> 401 + clear cookies); a refreshed session inherits the original deadline via
IssueSessionWithAbsolute. Legacy tokens (pre-migration) are exempt until they
age out within 7 days.
(c) The server idle window now tracks real user activity, not HTTP traffic.
VerifySession gains WithoutSlide; the binder passes it when a request carries
X-Background-Refresh. The SPA API client marks background/poll GETs with that
header, gated on the idle-timer activity signal (slice 1's localStorage key).
Fail-safe: an unmarked request slides as before, so the change is inert until
the activity signal exists -- no premature logout.
Spec system-auth-identity v1.4.0: C-28/C-29 + AC-28..AC-31. Backend + frontend
tests green; specter 31/31 ACs, 100%.
* fix(auth): SSE stream must not slide the idle window; guard zero absolute deadline
Security-review follow-ups on AUTH-1 (c):
- The /api/v1/events SSE stream authenticates via the binder but EventSource
cannot send X-Background-Refresh, and it reconnects through proxy idle
timeouts — so each (re)connect slid the idle window, letting an open SPA keep
an unattended session alive forever, defeating (c). The binder now passes
WithoutSlide for the SSE path. Binder test extended.
- IssueSessionWithAbsolute now treats a zero deadline as 'no carried ceiling'
and grants a fresh absolute window, instead of capping idle to the zero time
(an always-expired session) — defensive against a future caller.
Spec system-auth-identity C-29/AC-31 updated.
0 commit comments