fix: align session client expiry with cookie max age

2026-06-09 00:05:25 +08:00 · 2026-05-09 13:00:36 +02:00
parent 67d87f1b50
commit cf9a1ea32f
4 changed files with 13 additions and 8 deletions
--- a/api/oidc.go
+++ b/api/oidc.go
@@ -424,10 +424,11 @@ func (a *OIDCAPI) resolveUser(info *oidc.UserInfo) (*model.User, int, error) {
 func (a *OIDCAPI) createClient(name string, userID uint) (*model.Client, error) {
 	elevatedUntil := time.Now().Add(model.DefaultElevationDuration)
 	client := &model.Client{
-		Name:          name,
-		Token:         auth.GenerateNotExistingToken(generateClientToken, func(t string) bool { c, _ := a.DB.GetClientByToken(t); return c != nil }),
-		UserID:        userID,
-		ElevatedUntil: &elevatedUntil,
+		Name:                          name,
+		Token:                         auth.GenerateNotExistingToken(generateClientToken, func(t string) bool { c, _ := a.DB.GetClientByToken(t); return c != nil }),
+		UserID:                        userID,
+		ElevatedUntil:                 &elevatedUntil,
+		ExpiresAfterInactivitySeconds: auth.CookieMaxAge,
 	}
 	return client, a.DB.CreateClient(client)
 }
--- a/api/oidc_test.go
+++ b/api/oidc_test.go
@@ -7,6 +7,7 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
+	"github.com/gotify/server/v2/auth"
 	"github.com/gotify/server/v2/decaymap"
 	"github.com/gotify/server/v2/mode"
 	"github.com/gotify/server/v2/test"
@@ -153,6 +154,7 @@ func (s *OIDCSuite) Test_CreateClient() {
 	assert.Equal(s.T(), "MyPhone", client.Name)
 	assert.Equal(s.T(), "Ctesttoken00001", client.Token)
 	assert.Equal(s.T(), uint(1), client.UserID)
+	assert.Equal(s.T(), uint(auth.CookieMaxAge), client.ExpiresAfterInactivitySeconds)

 	dbClient, err := s.db.GetClientByToken("Ctesttoken00001")
 	assert.NoError(s.T(), err)
--- a/api/session.go
+++ b/api/session.go
@@ -77,10 +77,11 @@ func (a *SessionAPI) Login(ctx *gin.Context) {

 	elevatedUntil := time.Now().Add(model.DefaultElevationDuration)
 	client := model.Client{
-		Name:          clientParams.Name,
-		Token:         auth.GenerateNotExistingToken(generateClientToken, a.clientExists),
-		UserID:        user.ID,
-		ElevatedUntil: &elevatedUntil,
+		Name:                          clientParams.Name,
+		Token:                         auth.GenerateNotExistingToken(generateClientToken, a.clientExists),
+		UserID:                        user.ID,
+		ElevatedUntil:                 &elevatedUntil,
+		ExpiresAfterInactivitySeconds: auth.CookieMaxAge,
 	}
 	if success := successOrAbort(ctx, 500, a.DB.CreateClient(&client)); !success {
 		return
--- a/api/session_test.go
+++ b/api/session_test.go
@@ -90,6 +90,7 @@ func (s *SessionSuite) Test_Login_Success() {
 	assert.NoError(s.T(), err)
 	assert.Len(s.T(), clients, 1)
 	assert.Equal(s.T(), "test-browser", clients[0].Name)
+	assert.Equal(s.T(), uint(auth.CookieMaxAge), clients[0].ExpiresAfterInactivitySeconds)
 }

 func (s *SessionSuite) Test_Login_WrongPassword() {