fix(central-ui): resolve CentralUI-005 — sliding cookie session expiry (Security AddCookie + AuthEndpoints + SessionExpiry)

2026-05-16 23:54:31 -04:00
parent b1f4251d75
commit 1e2e7d2e7c
6 changed files with 240 additions and 42 deletions
--- a/tests/ScadaLink.CentralUI.Tests/Auth/SessionExpiryPolicyTests.cs
+++ b/tests/ScadaLink.CentralUI.Tests/Auth/SessionExpiryPolicyTests.cs
@@ -0,0 +1,46 @@
+using Microsoft.AspNetCore.Authentication;
+using ScadaLink.CentralUI.Auth;
+
+namespace ScadaLink.CentralUI.Tests.Auth;
+
+/// <summary>
+/// Regression tests for CentralUI-005. <c>AuthEndpoints</c> previously stamped a
+/// fixed <c>expires_at = UtcNow + 30 min</c> claim and a 30-minute absolute cookie
+/// <c>ExpiresUtc</c> with no sliding refresh, contradicting the documented
+/// "sliding refresh, 30-minute idle timeout" policy. The login handler must now
+/// build <see cref="AuthenticationProperties"/> that let the cookie middleware
+/// own expiry (sliding window) rather than imposing a contradictory fixed
+/// absolute cap.
+/// </summary>
+public class SessionExpiryPolicyTests
+{
+    [Fact]
+    public void BuildSignInProperties_DoesNotSetFixedAbsoluteExpiry()
+    {
+        var props = AuthEndpoints.BuildSignInProperties();
+
+        // A fixed ExpiresUtc would re-introduce the hard 30-minute cap that
+        // overrides the middleware's sliding window. Expiry must be owned by
+        // the cookie middleware (ExpireTimeSpan + SlidingExpiration).
+        Assert.Null(props.ExpiresUtc);
+    }
+
+    [Fact]
+    public void BuildSignInProperties_IsPersistent()
+    {
+        var props = AuthEndpoints.BuildSignInProperties();
+
+        Assert.True(props.IsPersistent);
+    }
+
+    [Fact]
+    public void BuildSignInProperties_AllowsSlidingRefresh()
+    {
+        var props = AuthEndpoints.BuildSignInProperties();
+
+        // AllowRefresh left null/true lets the cookie middleware slide the
+        // expiry on activity. A false value would freeze the session to an
+        // absolute cap — the bug this finding pins.
+        Assert.NotEqual(false, props.AllowRefresh);
+    }
+}
--- a/tests/ScadaLink.Security.Tests/SecurityTests.cs
+++ b/tests/ScadaLink.Security.Tests/SecurityTests.cs
@@ -423,6 +423,63 @@ public class SecurityReviewRegressionTests
        Assert.True(cookieOptions.Cookie.HttpOnly);
    }

+    // --- CentralUI-005: cookie auth must use a sliding session window ---
+    // Documented policy (CLAUDE.md Security & Auth): sliding refresh with a
+    // 30-minute idle timeout. The cookie middleware must enable SlidingExpiration
+    // so an active session is renewed on activity and an idle session expires.
+
+    [Fact]
+    public void AddSecurity_AuthCookie_UsesSlidingExpiration()
+    {
+        var services = new ServiceCollection();
+        services.AddLogging();
+        services.AddDataProtection();
+        services.AddSecurity();
+
+        using var provider = services.BuildServiceProvider();
+        var cookieOptions = provider
+            .GetRequiredService<IOptionsMonitor<Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions>>()
+            .Get(Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme);
+
+        Assert.True(cookieOptions.SlidingExpiration);
+    }
+
+    [Fact]
+    public void AddSecurity_AuthCookie_ExpireTimeSpanMatchesIdleTimeout()
+    {
+        var services = new ServiceCollection();
+        services.AddLogging();
+        services.AddDataProtection();
+        services.AddSecurity();
+        // The idle timeout drives the cookie's expiry window.
+        services.Configure<SecurityOptions>(o => o.IdleTimeoutMinutes = 30);
+
+        using var provider = services.BuildServiceProvider();
+        var cookieOptions = provider
+            .GetRequiredService<IOptionsMonitor<Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions>>()
+            .Get(Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme);
+
+        Assert.Equal(TimeSpan.FromMinutes(30), cookieOptions.ExpireTimeSpan);
+    }
+
+    [Fact]
+    public void AddSecurity_AuthCookie_ExpireTimeSpanIsConfigurable()
+    {
+        var services = new ServiceCollection();
+        services.AddLogging();
+        services.AddDataProtection();
+        services.AddSecurity();
+        services.Configure<SecurityOptions>(o => o.IdleTimeoutMinutes = 45);
+
+        using var provider = services.BuildServiceProvider();
+        var cookieOptions = provider
+            .GetRequiredService<IOptionsMonitor<Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions>>()
+            .Get(Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme);
+
+        Assert.Equal(TimeSpan.FromMinutes(45), cookieOptions.ExpireTimeSpan);
+        Assert.True(cookieOptions.SlidingExpiration);
+    }
+
    // --- Security-001: StartTLS transport must be reachable ---

    [Fact]