fix(central-ui): resolve CentralUI-005 — sliding cookie session expiry (Security AddCookie + AuthEndpoints + SessionExpiry)

2026-05-16 23:54:31 -04:00
parent b1f4251d75
commit 1e2e7d2e7c
6 changed files with 240 additions and 42 deletions
--- a/src/ScadaLink.CentralUI/Auth/AuthEndpoints.cs
+++ b/src/ScadaLink.CentralUI/Auth/AuthEndpoints.cs
@@ -44,15 +44,17 @@ public static class AuthEndpoints
            // Map LDAP groups to roles
            var roleMappingResult = await roleMapper.MapGroupsToRolesAsync(authResult.Groups ?? []);

-            var expiresAt = DateTimeOffset.UtcNow.AddMinutes(30);
-
-            // Build claims from LDAP auth + role mapping
+            // Build claims from LDAP auth + role mapping.
+            // CentralUI-005: no fixed "expires_at" absolute-cap claim is stamped
+            // — session expiry is owned by the cookie middleware's sliding window
+            // (ScadaLink.Security AddCookie: ExpireTimeSpan = idle timeout,
+            // SlidingExpiration = true). A frozen absolute claim would contradict
+            // the documented sliding-refresh policy.
            var claims = new List<Claim>
            {
                new(ClaimTypes.Name, authResult.Username ?? username),
                new(JwtTokenService.DisplayNameClaimType, authResult.DisplayName ?? username),
                new(JwtTokenService.UsernameClaimType, authResult.Username ?? username),
-                new("expires_at", expiresAt.ToUnixTimeSeconds().ToString()),
            };

            foreach (var role in roleMappingResult.Roles)
@@ -74,11 +76,7 @@ public static class AuthEndpoints
            await context.SignInAsync(
                CookieAuthenticationDefaults.AuthenticationScheme,
                principal,
-                new AuthenticationProperties
-                {
-                    IsPersistent = true,
-                    ExpiresUtc = expiresAt
-                });
+                BuildSignInProperties());

            context.Response.Redirect("/");
        }).DisableAntiforgery();
@@ -138,4 +136,22 @@ public static class AuthEndpoints

        return endpoints;
    }
+
+    /// <summary>
+    /// Builds the <see cref="AuthenticationProperties"/> for the login sign-in.
+    /// CentralUI-005: deliberately does <b>not</b> set <see cref="AuthenticationProperties.ExpiresUtc"/>.
+    /// Session expiry is owned by the cookie authentication middleware's sliding
+    /// window (configured in <c>ScadaLink.Security</c>'s <c>AddCookie</c>:
+    /// <c>ExpireTimeSpan</c> = the idle timeout, <c>SlidingExpiration = true</c>).
+    /// Setting a fixed <c>ExpiresUtc</c> here would re-impose a hard absolute cap
+    /// that overrides the sliding window and contradicts the documented
+    /// "sliding refresh, 30-minute idle timeout" policy. <see cref="AuthenticationProperties.IsPersistent"/>
+    /// is true so the cookie survives a browser restart within the idle window;
+    /// <see cref="AuthenticationProperties.AllowRefresh"/> is left unset (null)
+    /// so the middleware is free to slide the expiry on activity.
+    /// </summary>
+    public static AuthenticationProperties BuildSignInProperties() => new()
+    {
+        IsPersistent = true
+    };
 }