at authentication time, if the user has not confirmed ownership of a computer,...

at authentication time, if the user has not confirmed ownership of a computer, set a shorter auth period.

lib/configuration.js

@@ -124,6 +124,10 @@ var conf = module.exports = convict({
     doc: "How long may a user stay signed?",
     format: 'integer = 1209600000'
   },
+  ephemeral_session_duration_ms: {
+    doc: "How long a user on a shared computer shall be authenticated",
+    format: 'integer = 300000'
+  },
   certificate_validity_ms: {
     doc: "For how long shall certificates issued by BrowserID be valid?",
     format: 'integer = 86400000'

lib/wsapi.js

@@ -77,7 +77,7 @@ function bcryptPassword(password, cb) {
   });
 };
 
-function authenticateSession(session, uid, level) {
+function authenticateSession(session, uid, level, duration_ms) {
   if (['assertion', 'password'].indexOf(level) === -1)
     throw "invalid authentication level: " + level;
 
@@ -87,6 +87,9 @@ function authenticateSession(session, uid, level) {
       session.auth_level !== level) {
     logger.info("not resetting cookies to 'assertion' authenticate a user who is already password authenticated");
   } else {
+    if (duration_ms) {
+      session.setDuration(duration_ms);
+    }
     session.userid = uid;
     session.auth_level = level;
   }

lib/wsapi/auth_with_assertion.js

@@ -41,7 +41,8 @@ exports.process = function(req, res) {
         return db.emailToUID(email, function(err, uid) {
           if (err) return wsapi.databaseDown(res, err);
           if (!uid) return res.json({ success: false, reason: "internal error" });
-          wsapi.authenticateSession(req.session, uid, 'assertion');
+          wsapi.authenticateSession(req.session, uid, 'assertion',
+                                    req.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
           return res.json({ success: true });
         });
       }
@@ -90,7 +91,8 @@ exports.process = function(req, res) {
           }
 
           logger.info("successfully created primary acct for " + email + " (" + r.userid + ")");
-          wsapi.authenticateSession(req.session, r.userid, 'assertion');
+          wsapi.authenticateSession(req.session, r.userid, 'assertion',
+                                    req.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
           res.json({ success: true });
         });
       }).on('error', function(e) {

lib/wsapi/authenticate_user.js

@@ -16,7 +16,7 @@ statsd = require('../statsd');
 exports.method = 'post';
 exports.writes_db = false;
 exports.authed = false;
-exports.args = ['email','pass'];
+exports.args = ['email','pass', 'ephemeral'];
 exports.i18n = false;
 
 exports.process = function(req, res) {
@@ -59,7 +59,8 @@ exports.process = function(req, res) {
         } else {
           if (!req.session) req.session = {};
 
-          wsapi.authenticateSession(req.session, uid, 'password');
+          wsapi.authenticateSession(req.session, uid, 'password',
+                                    req.body.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
           res.json({ success: true });
 
 

lib/wsapi/complete_user_creation.js

@@ -50,7 +50,8 @@ exports.process = function(req, res) {
           // FIXME: not sure if we want to do this (ba)
           // at this point the user has set a password associated with an email address
           // that they've verified.  We create an authenticated session.
-          wsapi.authenticateSession(req.session, uid, 'password');
+          wsapi.authenticateSession(req.session, uid, 'password',
+                                    config.get('ephemeral_session_duration_ms'));
           res.json({ success: true });
         }
       });

package.json

@@ -9,7 +9,7 @@
         "connect": "1.7.2",
         "convict": "0.0.6",
         "cjson": "0.0.6",
-        "client-sessions": "0.0.3",
+        "client-sessions": "0.0.4",
         "connect-cachify": "0.0.8",
         "connect-cookie-session": "0.0.2",
         "connect-logger-statsd": "0.0.1",