Skip to content
Snippets Groups Projects
Commit 9b4d4035 authored by Lloyd Hilaiel's avatar Lloyd Hilaiel
Browse files

at authentication time, if the user has not confirmed ownership of a computer,...

at authentication time, if the user has not confirmed ownership of a computer, set a shorter auth period.
parent 9d2e02b7
No related branches found
No related tags found
No related merge requests found
......@@ -124,6 +124,10 @@ var conf = module.exports = convict({
doc: "How long may a user stay signed?",
format: 'integer = 1209600000'
},
ephemeral_session_duration_ms: {
doc: "How long a user on a shared computer shall be authenticated",
format: 'integer = 300000'
},
certificate_validity_ms: {
doc: "For how long shall certificates issued by BrowserID be valid?",
format: 'integer = 86400000'
......
......@@ -77,7 +77,7 @@ function bcryptPassword(password, cb) {
});
};
function authenticateSession(session, uid, level) {
function authenticateSession(session, uid, level, duration_ms) {
if (['assertion', 'password'].indexOf(level) === -1)
throw "invalid authentication level: " + level;
......@@ -87,6 +87,9 @@ function authenticateSession(session, uid, level) {
session.auth_level !== level) {
logger.info("not resetting cookies to 'assertion' authenticate a user who is already password authenticated");
} else {
if (duration_ms) {
session.setDuration(duration_ms);
}
session.userid = uid;
session.auth_level = level;
}
......
......@@ -41,7 +41,8 @@ exports.process = function(req, res) {
return db.emailToUID(email, function(err, uid) {
if (err) return wsapi.databaseDown(res, err);
if (!uid) return res.json({ success: false, reason: "internal error" });
wsapi.authenticateSession(req.session, uid, 'assertion');
wsapi.authenticateSession(req.session, uid, 'assertion',
req.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
return res.json({ success: true });
});
}
......@@ -90,7 +91,8 @@ exports.process = function(req, res) {
}
logger.info("successfully created primary acct for " + email + " (" + r.userid + ")");
wsapi.authenticateSession(req.session, r.userid, 'assertion');
wsapi.authenticateSession(req.session, r.userid, 'assertion',
req.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
res.json({ success: true });
});
}).on('error', function(e) {
......
......@@ -16,7 +16,7 @@ statsd = require('../statsd');
exports.method = 'post';
exports.writes_db = false;
exports.authed = false;
exports.args = ['email','pass'];
exports.args = ['email','pass', 'ephemeral'];
exports.i18n = false;
exports.process = function(req, res) {
......@@ -59,7 +59,8 @@ exports.process = function(req, res) {
} else {
if (!req.session) req.session = {};
wsapi.authenticateSession(req.session, uid, 'password');
wsapi.authenticateSession(req.session, uid, 'password',
req.body.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
res.json({ success: true });
......
......@@ -50,7 +50,8 @@ exports.process = function(req, res) {
// FIXME: not sure if we want to do this (ba)
// at this point the user has set a password associated with an email address
// that they've verified. We create an authenticated session.
wsapi.authenticateSession(req.session, uid, 'password');
wsapi.authenticateSession(req.session, uid, 'password',
config.get('ephemeral_session_duration_ms'));
res.json({ success: true });
}
});
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment