fix: set token ttl correctly in redis

Panaetius · Panaetius · commit 60bf5cb3c656 · 2025-04-23T11:11:17.000+02:00
diff --git a/internal/db/token_repo_redis.go b/internal/db/token_repo_redis.go
@@ -42,10 +42,14 @@ func (r RedisAdapter) SetAccessToken(ctx context.Context, token models.AuthToken
 	return r.setAuthToken(ctx, token)
 }
 
-func (r RedisAdapter) SetAccessTokenExpiry(ctx context.Context, token models.AuthToken, expiresAt time.Time) error {
+func (r RedisAdapter) SetAccessTokenExpiry(ctx context.Context, token models.AuthToken, expiresAtLimit time.Time) error {
 	if token.Type != models.AccessTokenType {
 		return fmt.Errorf("token is not of the right type")
 	}
+	expiresAt := expiresAtLimit
+	if !token.ExpiresAt.IsZero() && token.ExpiresAt.Before(expiresAtLimit) {
+		expiresAt = token.ExpiresAt
+	}
 	return r.setAuthTokenExpiry(ctx, token, expiresAt)
 }
 
@@ -57,10 +61,15 @@ func (r RedisAdapter) SetRefreshToken(ctx context.Context, token models.AuthToke
 	return r.setAuthToken(ctx, token)
 }
 
-func (r RedisAdapter) SetRefreshTokenExpiry(ctx context.Context, token models.AuthToken, expiresAt time.Time) error {
+func (r RedisAdapter) SetRefreshTokenExpiry(ctx context.Context, token models.AuthToken, expiresAtLimit time.Time) error {
 	if token.Type != models.RefreshTokenType {
 		return fmt.Errorf("token is not of the right type")
 	}
+	expiresAt := expiresAtLimit
+	if !token.ExpiresAt.IsZero() && token.ExpiresAt.Before(expiresAtLimit) {
+		expiresAt = token.ExpiresAt
+	}
+	slog.Info("refresh token expiry", "limit", expiresAtLimit, "expires", token.ExpiresAt, "zero", token.ExpiresAt.IsZero())
 	return r.setAuthTokenExpiry(ctx, token, expiresAt)
 }
 
@@ -71,10 +80,14 @@ func (r RedisAdapter) SetIDToken(ctx context.Context, token models.AuthToken) er
 	return r.setAuthToken(ctx, token)
 }
 
-func (r RedisAdapter) SetIDTokenExpiry(ctx context.Context, token models.AuthToken, expiresAt time.Time) error {
+func (r RedisAdapter) SetIDTokenExpiry(ctx context.Context, token models.AuthToken, expiresAtLimit time.Time) error {
 	if token.Type != models.IDTokenType {
 		return fmt.Errorf("token is not of the right type")
 	}
+	expiresAt := expiresAtLimit
+	if !token.ExpiresAt.IsZero() && token.ExpiresAt.Before(expiresAtLimit) {
+		expiresAt = token.ExpiresAt
+	}
 	return r.setAuthTokenExpiry(ctx, token, expiresAt)
 }
 
diff --git a/internal/models/token_repository.go b/internal/models/token_repository.go
@@ -24,7 +24,7 @@ type AccessTokenGetter interface {
 
 type AccessTokenSetter interface {
 	SetAccessToken(ctx context.Context, token AuthToken) error
-	SetAccessTokenExpiry(ctx context.Context, token AuthToken, expiresAt time.Time) error
+	SetAccessTokenExpiry(ctx context.Context, token AuthToken, expiresAtLimit time.Time) error
 }
 
 type AccessTokenRemover interface {
@@ -37,7 +37,7 @@ type RefreshTokenGetter interface {
 
 type RefreshTokenSetter interface {
 	SetRefreshToken(ctx context.Context, token AuthToken) error
-	SetRefreshTokenExpiry(ctx context.Context, token AuthToken, expiresAt time.Time) error
+	SetRefreshTokenExpiry(ctx context.Context, token AuthToken, expiresAtLimit time.Time) error
 }
 
 type RefreshTokenRemover interface {
@@ -50,7 +50,7 @@ type IDTokenGetter interface {
 
 type IDTokenSetter interface {
 	SetIDToken(ctx context.Context, token AuthToken) error
-	SetIDTokenExpiry(ctx context.Context, token AuthToken, expiresAt time.Time) error
+	SetIDTokenExpiry(ctx context.Context, token AuthToken, expiresAtLimit time.Time) error
 }
 
 type IDTokenRemover interface {
diff --git a/internal/sessions/session_maker.go b/internal/sessions/session_maker.go
@@ -32,9 +32,9 @@ func (sm *SessionMakerImpl) NewSession() (models.Session, error) {
 	if session.IdleTTL() == time.Duration(0) {
 		session.ExpiresAt = time.Time{}
 	} else if session.MaxTTL() == time.Duration(0) {
-		session.ExpiresAt = session.CreatedAt.Add(session.MaxTTL())
-	} else {
 		session.ExpiresAt = session.CreatedAt.Add(session.IdleTTL())
+	} else {
+		session.ExpiresAt = session.CreatedAt.Add(session.MaxTTL())
 	}
 	slog.Info("NEW SESSION", "session", session)
 	return session, nil
diff --git a/internal/sessions/token_handling.go b/internal/sessions/token_handling.go
@@ -135,7 +135,7 @@ func (sessions *SessionStore) SaveTokens(c echo.Context, session *models.Session
 		session.TokenIDs = models.SerializableMap{}
 	}
 	session.TokenIDs[providerID] = tokens.AccessToken.ID
-	expiresAt := sessions.getTokenStorageExpiration(tokens, *session)
+	expiresAt := sessions.getTokenStorageExpiration(*session)
 	err = sessions.tokenStore.SetAccessToken(c.Request().Context(), tokens.AccessToken)
 	if err != nil {
 		return err
@@ -175,11 +175,6 @@ func (*SessionStore) idTokenKey(tokenID string) string {
 	return IDTokenCtxKey + ":" + tokenID
 }
 
-// getTokenStorageExpiration returns the max session expiration unless the provider is Renku or GitLab, in which case there is no expiration
-func (*SessionStore) getTokenStorageExpiration(tokens models.AuthTokenSet, session models.Session) time.Time {
-	providerID := tokens.AccessToken.ProviderID
-	if providerID == "renku" || providerID == "gitlab" {
-		return time.Time{}
-	}
+func (*SessionStore) getTokenStorageExpiration(session models.Session) time.Time {
 	return session.CreatedAt.Add(session.MaxTTL())
 }

Original file line number	Diff line number	Diff line change
`@@ -42,10 +42,14 @@ func (r RedisAdapter) SetAccessToken(ctx context.Context, token models.AuthToken`
`42`	`42`	`return r.setAuthToken(ctx, token)`
`43`	`43`	`}`
`44`	`44`
`45`		`-func (r RedisAdapter) SetAccessTokenExpiry(ctx context.Context, token models.AuthToken, expiresAt time.Time) error {`
	`45`	`+func (r RedisAdapter) SetAccessTokenExpiry(ctx context.Context, token models.AuthToken, expiresAtLimit time.Time) error {`
`46`	`46`	`if token.Type != models.AccessTokenType {`
`47`	`47`	`return fmt.Errorf("token is not of the right type")`
`48`	`48`	`}`
	`49`	`+ expiresAt := expiresAtLimit`
	`50`	`+ if !token.ExpiresAt.IsZero() && token.ExpiresAt.Before(expiresAtLimit) {`
	`51`	`+ expiresAt = token.ExpiresAt`
	`52`	`+ }`
`49`	`53`	`return r.setAuthTokenExpiry(ctx, token, expiresAt)`
`50`	`54`	`}`
`51`	`55`
`@@ -57,10 +61,15 @@ func (r RedisAdapter) SetRefreshToken(ctx context.Context, token models.AuthToke`
`57`	`61`	`return r.setAuthToken(ctx, token)`
`58`	`62`	`}`
`59`	`63`
`60`		`-func (r RedisAdapter) SetRefreshTokenExpiry(ctx context.Context, token models.AuthToken, expiresAt time.Time) error {`
	`64`	`+func (r RedisAdapter) SetRefreshTokenExpiry(ctx context.Context, token models.AuthToken, expiresAtLimit time.Time) error {`
`61`	`65`	`if token.Type != models.RefreshTokenType {`
`62`	`66`	`return fmt.Errorf("token is not of the right type")`
`63`	`67`	`}`
	`68`	`+ expiresAt := expiresAtLimit`
	`69`	`+ if !token.ExpiresAt.IsZero() && token.ExpiresAt.Before(expiresAtLimit) {`
	`70`	`+ expiresAt = token.ExpiresAt`
	`71`	`+ }`
	`72`	`+ slog.Info("refresh token expiry", "limit", expiresAtLimit, "expires", token.ExpiresAt, "zero", token.ExpiresAt.IsZero())`
`64`	`73`	`return r.setAuthTokenExpiry(ctx, token, expiresAt)`
`65`	`74`	`}`
`66`	`75`
`@@ -71,10 +80,14 @@ func (r RedisAdapter) SetIDToken(ctx context.Context, token models.AuthToken) er`
`71`	`80`	`return r.setAuthToken(ctx, token)`
`72`	`81`	`}`
`73`	`82`
`74`		`-func (r RedisAdapter) SetIDTokenExpiry(ctx context.Context, token models.AuthToken, expiresAt time.Time) error {`
	`83`	`+func (r RedisAdapter) SetIDTokenExpiry(ctx context.Context, token models.AuthToken, expiresAtLimit time.Time) error {`
`75`	`84`	`if token.Type != models.IDTokenType {`
`76`	`85`	`return fmt.Errorf("token is not of the right type")`
`77`	`86`	`}`
	`87`	`+ expiresAt := expiresAtLimit`
	`88`	`+ if !token.ExpiresAt.IsZero() && token.ExpiresAt.Before(expiresAtLimit) {`
	`89`	`+ expiresAt = token.ExpiresAt`
	`90`	`+ }`
`78`	`91`	`return r.setAuthTokenExpiry(ctx, token, expiresAt)`
`79`	`92`	`}`
`80`	`93`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ type AccessTokenGetter interface {`
`24`	`24`
`25`	`25`	`type AccessTokenSetter interface {`
`26`	`26`	`SetAccessToken(ctx context.Context, token AuthToken) error`
`27`		`- SetAccessTokenExpiry(ctx context.Context, token AuthToken, expiresAt time.Time) error`
	`27`	`+ SetAccessTokenExpiry(ctx context.Context, token AuthToken, expiresAtLimit time.Time) error`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`type AccessTokenRemover interface {`
`@@ -37,7 +37,7 @@ type RefreshTokenGetter interface {`
`37`	`37`
`38`	`38`	`type RefreshTokenSetter interface {`
`39`	`39`	`SetRefreshToken(ctx context.Context, token AuthToken) error`
`40`		`- SetRefreshTokenExpiry(ctx context.Context, token AuthToken, expiresAt time.Time) error`
	`40`	`+ SetRefreshTokenExpiry(ctx context.Context, token AuthToken, expiresAtLimit time.Time) error`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`type RefreshTokenRemover interface {`
`@@ -50,7 +50,7 @@ type IDTokenGetter interface {`
`50`	`50`
`51`	`51`	`type IDTokenSetter interface {`
`52`	`52`	`SetIDToken(ctx context.Context, token AuthToken) error`
`53`		`- SetIDTokenExpiry(ctx context.Context, token AuthToken, expiresAt time.Time) error`
	`53`	`+ SetIDTokenExpiry(ctx context.Context, token AuthToken, expiresAtLimit time.Time) error`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`type IDTokenRemover interface {`