makes auth token rotation time configurable

2025-02-25 18:55:37 -06:00 · 2019-01-24 10:50:18 +01:00 · 2019-01-24 10:50:18 +01:00 · 56a521b264
commit 56a521b264
parent 4626f083bb
5 changed files with 29 additions and 3 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -122,6 +122,9 @@ cookie_username = grafana_user
 # How many days an session can be unused before we inactivate it
 login_remember_days = 7

+# How often should the login token be rotated. default to '30m'
+rotate_cookie_every = 30m
+
 # How long should Grafana keep expired tokens before deleting them
 delete_expired_token_after_days = 30

--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -102,6 +102,28 @@ log_queries =
 # For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
 ;cache_mode = private

+#################################### Login ###############################
+
+[login]
+
+# Login cookie name
+;cookie_name = grafana_session
+
+# If you want login cookies to be https only. default is false
+;cookie_secure = false
+
+# Logged in user name
+;cookie_username = grafana_user
+
+# How many days an session can be unused before we inactivate it
+;login_remember_days = 7
+
+# How often should the login token be rotated. default to '30m'
+;rotate_cookie_every = 30m
+
+# How long should Grafana keep expired tokens before deleting them
+;delete_expired_token_after_days = 30
+
 #################################### Session ####################################
 [session]
 # Either "memory", "file", "redis", "mysql", "postgres", default is "file"
--- a/pkg/services/auth/auth_token.go
+++ b/pkg/services/auth/auth_token.go
@ -23,7 +23,6 @@ func init() {

 var (
 	getTime          = time.Now
-	RotateTime       = 2 * time.Minute
 	UrgentRotateTime = 20 * time.Second
 	oneYearInSeconds = 31557600 //used as default maxage for session cookies. We validate/rotate them more often.
 )
@ -219,7 +218,7 @@ func (s *UserAuthTokenServiceImpl) RefreshToken(token *userAuthToken, clientIP,
 	needsRotation := false
 	rotatedAt := time.Unix(token.RotatedAt, 0)
 	if token.AuthTokenSeen {
-		needsRotation = rotatedAt.Before(now.Add(-RotateTime))
+		needsRotation = rotatedAt.Before(now.Add(-s.Cfg.LoginCookieRotation))
 	} else {
 		needsRotation = rotatedAt.Before(now.Add(-UrgentRotateTime))
 	}
--- a/pkg/services/auth/auth_token_test.go
+++ b/pkg/services/auth/auth_token_test.go
@ -297,11 +297,11 @@ func createTestContext(t *testing.T) *testContext {
 			LoginCookieSecure:                 false,
 			LoginCookieMaxDays:                7,
 			LoginDeleteExpiredTokensAfterDays: 30,
+			LoginCookieRotation:               10 * time.Minute,
 		},
 		log: log.New("test-logger"),
 	}

-	RotateTime = 10 * time.Minute
 	UrgentRotateTime = time.Minute
 	setting.LogInRememberDays = 7

--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -229,6 +229,7 @@ type Cfg struct {
 	LoginCookieUsername               string
 	LoginCookieSecure                 bool
 	LoginCookieMaxDays                int
+	LoginCookieRotation               time.Duration
 	LoginDeleteExpiredTokensAfterDays int
 }

@ -560,6 +561,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	cfg.LoginCookieSecure = login.Key("cookie_secure").MustBool(false)
 	cfg.LoginCookieUsername = login.Key("cookie_username").MustString("grafana_username")
 	cfg.LoginDeleteExpiredTokensAfterDays = login.Key("delete_expired_token_after_days").MustInt(30)
+	cfg.LoginCookieRotation = login.Key("rotate_cookie_every").MustDuration(time.Minute * 30)

 	Env = iniFile.Section("").Key("app_mode").MustString("development")
 	InstanceName = iniFile.Section("").Key("instance_name").MustString("unknown_instance_name")