From 9b4d40357f1c0e61124d1db4f3f82a0410534e29 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Wed, 14 Mar 2012 13:12:49 -0600
Subject: [PATCH] at authentication time, if the user has not confirmed
 ownership of a computer, set a shorter auth period.

---
 lib/configuration.js                | 4 ++++
 lib/wsapi.js                        | 5 ++++-
 lib/wsapi/auth_with_assertion.js    | 6 ++++--
 lib/wsapi/authenticate_user.js      | 5 +++--
 lib/wsapi/complete_user_creation.js | 3 ++-
 package.json                        | 2 +-
 6 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/lib/configuration.js b/lib/configuration.js
index 49f980cd2..dfe32e812 100644
--- a/lib/configuration.js
+++ b/lib/configuration.js
@@ -124,6 +124,10 @@ var conf = module.exports = convict({
     doc: "How long may a user stay signed?",
     format: 'integer = 1209600000'
   },
+  ephemeral_session_duration_ms: {
+    doc: "How long a user on a shared computer shall be authenticated",
+    format: 'integer = 300000'
+  },
   certificate_validity_ms: {
     doc: "For how long shall certificates issued by BrowserID be valid?",
     format: 'integer = 86400000'
diff --git a/lib/wsapi.js b/lib/wsapi.js
index e23a50ce9..78f43c548 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -77,7 +77,7 @@ function bcryptPassword(password, cb) {
   });
 };
 
-function authenticateSession(session, uid, level) {
+function authenticateSession(session, uid, level, duration_ms) {
   if (['assertion', 'password'].indexOf(level) === -1)
     throw "invalid authentication level: " + level;
 
@@ -87,6 +87,9 @@ function authenticateSession(session, uid, level) {
       session.auth_level !== level) {
     logger.info("not resetting cookies to 'assertion' authenticate a user who is already password authenticated");
   } else {
+    if (duration_ms) {
+      session.setDuration(duration_ms);
+    }
     session.userid = uid;
     session.auth_level = level;
   }
diff --git a/lib/wsapi/auth_with_assertion.js b/lib/wsapi/auth_with_assertion.js
index 878115135..b843d4614 100644
--- a/lib/wsapi/auth_with_assertion.js
+++ b/lib/wsapi/auth_with_assertion.js
@@ -41,7 +41,8 @@ exports.process = function(req, res) {
         return db.emailToUID(email, function(err, uid) {
           if (err) return wsapi.databaseDown(res, err);
           if (!uid) return res.json({ success: false, reason: "internal error" });
-          wsapi.authenticateSession(req.session, uid, 'assertion');
+          wsapi.authenticateSession(req.session, uid, 'assertion',
+                                    req.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
           return res.json({ success: true });
         });
       }
@@ -90,7 +91,8 @@ exports.process = function(req, res) {
           }
 
           logger.info("successfully created primary acct for " + email + " (" + r.userid + ")");
-          wsapi.authenticateSession(req.session, r.userid, 'assertion');
+          wsapi.authenticateSession(req.session, r.userid, 'assertion',
+                                    req.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
           res.json({ success: true });
         });
       }).on('error', function(e) {
diff --git a/lib/wsapi/authenticate_user.js b/lib/wsapi/authenticate_user.js
index b1715a1b4..0abb15e73 100644
--- a/lib/wsapi/authenticate_user.js
+++ b/lib/wsapi/authenticate_user.js
@@ -16,7 +16,7 @@ statsd = require('../statsd');
 exports.method = 'post';
 exports.writes_db = false;
 exports.authed = false;
-exports.args = ['email','pass'];
+exports.args = ['email','pass', 'ephemeral'];
 exports.i18n = false;
 
 exports.process = function(req, res) {
@@ -59,7 +59,8 @@ exports.process = function(req, res) {
         } else {
           if (!req.session) req.session = {};
 
-          wsapi.authenticateSession(req.session, uid, 'password');
+          wsapi.authenticateSession(req.session, uid, 'password',
+                                    req.body.ephemeral ? config.get('ephemeral_session_duration_ms') : undefined);
           res.json({ success: true });
 
 
diff --git a/lib/wsapi/complete_user_creation.js b/lib/wsapi/complete_user_creation.js
index 882351b63..dca109d14 100644
--- a/lib/wsapi/complete_user_creation.js
+++ b/lib/wsapi/complete_user_creation.js
@@ -50,7 +50,8 @@ exports.process = function(req, res) {
           // FIXME: not sure if we want to do this (ba)
           // at this point the user has set a password associated with an email address
           // that they've verified.  We create an authenticated session.
-          wsapi.authenticateSession(req.session, uid, 'password');
+          wsapi.authenticateSession(req.session, uid, 'password',
+                                    config.get('ephemeral_session_duration_ms'));
           res.json({ success: true });
         }
       });
diff --git a/package.json b/package.json
index 2a86e4b4d..fdddf56aa 100644
--- a/package.json
+++ b/package.json
@@ -9,7 +9,7 @@
         "connect": "1.7.2",
         "convict": "0.0.6",
         "cjson": "0.0.6",
-        "client-sessions": "0.0.3",
+        "client-sessions": "0.0.4",
         "connect-cachify": "0.0.8",
         "connect-cookie-session": "0.0.2",
         "connect-logger-statsd": "0.0.1",
-- 
GitLab