Implement a stronger, reusable session timeout

2025-04-16 10:32:34 +01:00
parent f7e9fe7794
commit 7f91771166
4 changed files with 61 additions and 13 deletions
--- a/constants/session.go
+++ b/constants/session.go
@@ -0,0 +1,5 @@
+package constants
+
+import "time"
+
+const SessionDuration = 30 * time.Minute
--- a/middleware/auth.go
+++ b/middleware/auth.go
@@ -4,11 +4,10 @@ import (
 	"net/http"
 	"time"

+	"synlotto-website/constants"
 	"synlotto-website/helpers"
 )

-const SessionTimeout = 30 * time.Minute
-
 func Auth(required bool) func(http.HandlerFunc) http.HandlerFunc {
 	return func(next http.HandlerFunc) http.HandlerFunc {
 		return func(w http.ResponseWriter, r *http.Request) {
@@ -23,7 +22,7 @@ func Auth(required bool) func(http.HandlerFunc) http.HandlerFunc {

 			if ok {
 				last, hasLast := session.Values["last_activity"].(time.Time)
-				if hasLast && time.Since(last) > SessionTimeout {
+				if hasLast && time.Since(last) > constants.SessionDuration {
 					session.Options.MaxAge = -1
 					session.Save(r, w)

@@ -43,3 +42,7 @@ func Auth(required bool) func(http.HandlerFunc) http.HandlerFunc {
 		}
 	}
 }
+
+func Protected(h http.HandlerFunc) http.HandlerFunc {
+	return Auth(true)(SessionTimeout(h))
+}
--- a/middleware/sessiontimeout.go
+++ b/middleware/sessiontimeout.go
@@ -0,0 +1,40 @@
+package middleware
+
+import (
+	"log"
+	"net/http"
+	"time"
+
+	session "synlotto-website/handlers/session"
+
+	"synlotto-website/constants"
+)
+
+func SessionTimeout(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		sess, err := session.GetSession(w, r)
+		if err != nil {
+			http.Redirect(w, r, "/account/login", http.StatusSeeOther)
+			return
+		}
+
+		last, ok := sess.Values["last_activity"].(time.Time)
+		if !ok || time.Since(last) > constants.SessionDuration {
+			sess.Options.MaxAge = -1
+			_ = sess.Save(r, w)
+
+			newSession, _ := session.GetSession(w, r)
+			newSession.Values["flash"] = "Your session has timed out."
+			_ = newSession.Save(r, w)
+
+			log.Printf("Session timeout triggered")
+			http.Redirect(w, r, "/account/login", http.StatusSeeOther)
+			return
+		}
+
+		sess.Values["last_activity"] = time.Now().UTC()
+		_ = sess.Save(r, w)
+
+		next(w, r)
+	}
+}
--- a/routes/accountroutes.go
+++ b/routes/accountroutes.go
@@ -9,17 +9,17 @@ import (
 )

 func SetupAccountRoutes(mux *http.ServeMux, db *sql.DB) {
-	mux.HandleFunc("/login", middleware.Auth(false)(handlers.Login))
+	mux.HandleFunc("/login", middleware.Protected(handlers.Login))
 	mux.HandleFunc("/logout", handlers.Logout)
-	mux.HandleFunc("/signup", middleware.Auth(false)(handlers.Signup))
+	mux.HandleFunc("/signup", middleware.Protected(handlers.Signup))
 	mux.HandleFunc("/account/tickets/add_ticket", handlers.AddTicket(db))
 	mux.HandleFunc("/account/tickets/my_tickets", handlers.GetMyTickets(db))
-	mux.HandleFunc("/account/messages", middleware.Auth(true)(handlers.MessagesInboxHandler(db)))
-	mux.HandleFunc("/account/messages/read", middleware.Auth(true)(handlers.ReadMessageHandler(db)))
-	mux.HandleFunc("/account/messages/archive", middleware.Auth(true)(handlers.ArchiveMessageHandler(db)))
-	mux.HandleFunc("/account/messages/archived", middleware.Auth(true)(handlers.ArchivedMessagesHandler(db)))
-	mux.HandleFunc("/account/messages/restore", middleware.Auth(true)(handlers.RestoreMessageHandler(db)))
-	mux.HandleFunc("/account/messages/send", middleware.Auth(true)(handlers.SendMessageHandler(db)))
-	mux.HandleFunc("/account/notifications", middleware.Auth(true)(handlers.NotificationsHandler(db)))
-	mux.HandleFunc("/account/notifications/read", middleware.Auth(true)(handlers.MarkNotificationReadHandler(db)))
+	mux.HandleFunc("/account/messages", middleware.Protected(handlers.MessagesInboxHandler(db)))
+	mux.HandleFunc("/account/messages/read", middleware.Protected(handlers.ReadMessageHandler(db)))
+	mux.HandleFunc("/account/messages/archive", middleware.Protected(handlers.ArchiveMessageHandler(db)))
+	mux.HandleFunc("/account/messages/archived", middleware.Protected(handlers.ArchivedMessagesHandler(db)))
+	mux.HandleFunc("/account/messages/restore", middleware.Protected(handlers.RestoreMessageHandler(db)))
+	mux.HandleFunc("/account/messages/send", middleware.Protected(handlers.SendMessageHandler(db)))
+	mux.HandleFunc("/account/notifications", middleware.Protected(handlers.NotificationsHandler(db)))
+	mux.HandleFunc("/account/notifications/read", middleware.Protected(handlers.MarkNotificationReadHandler(db)))
 }