From 2bb41367bca49329c2ece74096e50fc9a422039d Mon Sep 17 00:00:00 2001
From: Nils Mittler <nmittler@bcf-pc03.desktop>
Date: Mon, 20 Feb 2023 16:10:30 +0100
Subject: [PATCH] Make the admin cookie lifetime adjustable

---
 .env.template    | 3 +++
 src/api/admin.rs | 2 +-
 src/config.rs    | 3 +++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.env.template b/.env.template
index d2eb768e..0f8f3c31 100644
--- a/.env.template
+++ b/.env.template
@@ -335,6 +335,9 @@
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
 # ADMIN_RATELIMIT_MAX_BURST=3
 
+## Set the lifetime of the cookie that is used to authorize admin requests to this value (in minutes).
+# ADMIN_COOKIE_LIFETIME=20
+
 ## Yubico (Yubikey) Settings
 ## Set your Client ID and Secret Key for Yubikey OTP
 ## You can generate it here: https://upgrade.yubico.com/getapikey/
diff --git a/src/api/admin.rs b/src/api/admin.rs
index f791d779..92c8e3b8 100644
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@@ -184,7 +184,7 @@ fn post_admin_login(data: Form<LoginForm>, cookies: &CookieJar<'_>, ip: ClientIp
 
         let cookie = Cookie::build(COOKIE_NAME, jwt)
             .path(admin_path())
-            .max_age(rocket::time::Duration::minutes(20))
+            .max_age(rocket::time::Duration::minutes(CONFIG.admin_cookie_lifetime()))
             .same_site(SameSite::Strict)
             .http_only(true)
             .finish();
diff --git a/src/config.rs b/src/config.rs
index fa53c55b..eed2a9cf 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -581,6 +581,9 @@ make_config! {
         /// Max burst size for admin login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `admin_ratelimit_seconds`
         admin_ratelimit_max_burst:     u32, false, def, 3;
 
+        /// Admin cookie lifetime |> Set the lifetime of the cookie that is used to authorize admin requests to this value (in minutes).
+        admin_cookie_lifetime:  i64,    true,   def,    20;
+
         /// Enable groups (BETA!) (Know the risks!) |> Enables groups support for organizations (Currently contains known issues!).
         org_groups_enabled:     bool,   false,  def,    false;
     },
-- 
GitLab