fix(central-ui): resolve CentralUI-005 — sliding cookie session expiry (Security AddCookie + AuthEndpoints + SessionExpiry)

2026-05-16 23:54:31 -04:00
parent b1f4251d75
commit 1e2e7d2e7c
6 changed files with 240 additions and 42 deletions
--- a/tests/ScadaLink.Security.Tests/SecurityTests.cs
+++ b/tests/ScadaLink.Security.Tests/SecurityTests.cs
@@ -423,6 +423,63 @@ public class SecurityReviewRegressionTests
        Assert.True(cookieOptions.Cookie.HttpOnly);
    }

+    // --- CentralUI-005: cookie auth must use a sliding session window ---
+    // Documented policy (CLAUDE.md Security & Auth): sliding refresh with a
+    // 30-minute idle timeout. The cookie middleware must enable SlidingExpiration
+    // so an active session is renewed on activity and an idle session expires.
+
+    [Fact]
+    public void AddSecurity_AuthCookie_UsesSlidingExpiration()
+    {
+        var services = new ServiceCollection();
+        services.AddLogging();
+        services.AddDataProtection();
+        services.AddSecurity();
+
+        using var provider = services.BuildServiceProvider();
+        var cookieOptions = provider
+            .GetRequiredService<IOptionsMonitor<Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions>>()
+            .Get(Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme);
+
+        Assert.True(cookieOptions.SlidingExpiration);
+    }
+
+    [Fact]
+    public void AddSecurity_AuthCookie_ExpireTimeSpanMatchesIdleTimeout()
+    {
+        var services = new ServiceCollection();
+        services.AddLogging();
+        services.AddDataProtection();
+        services.AddSecurity();
+        // The idle timeout drives the cookie's expiry window.
+        services.Configure<SecurityOptions>(o => o.IdleTimeoutMinutes = 30);
+
+        using var provider = services.BuildServiceProvider();
+        var cookieOptions = provider
+            .GetRequiredService<IOptionsMonitor<Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions>>()
+            .Get(Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme);
+
+        Assert.Equal(TimeSpan.FromMinutes(30), cookieOptions.ExpireTimeSpan);
+    }
+
+    [Fact]
+    public void AddSecurity_AuthCookie_ExpireTimeSpanIsConfigurable()
+    {
+        var services = new ServiceCollection();
+        services.AddLogging();
+        services.AddDataProtection();
+        services.AddSecurity();
+        services.Configure<SecurityOptions>(o => o.IdleTimeoutMinutes = 45);
+
+        using var provider = services.BuildServiceProvider();
+        var cookieOptions = provider
+            .GetRequiredService<IOptionsMonitor<Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationOptions>>()
+            .Get(Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme);
+
+        Assert.Equal(TimeSpan.FromMinutes(45), cookieOptions.ExpireTimeSpan);
+        Assert.True(cookieOptions.SlidingExpiration);
+    }
+
    // --- Security-001: StartTLS transport must be reachable ---

    [Fact]