makes auth token rotation time configurable

56a521b2 · bergquist · 4626f083 · 56a521b2 · 56a521b2 · 56a521b2
Commit 56a521b2 authored Jan 24, 2019 by bergquist
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 3 deletions

conf/defaults.ini
+3 -0

conf/sample.ini
+22 -0

pkg/services/auth/auth_token.go
+1 -2

pkg/services/auth/auth_token_test.go
+1 -1

pkg/setting/setting.go
+2 -0

No files found.
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -122,6 +122,9 @@ cookie_username = grafana_user
 # How many days an session can be unused before we inactivate it
 login_remember_days = 7

+# How often should the login token be rotated. default to '30m'
+rotate_cookie_every = 30m
+
 # How long should Grafana keep expired tokens before deleting them
 delete_expired_token_after_days = 30


--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -102,6 +102,28 @@ log_queries =
 # For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
 ;cache_mode = private

+#################################### Login ###############################
+
+[login]
+
+# Login cookie name
+;cookie_name = grafana_session
+
+# If you want login cookies to be https only. default is false
+;cookie_secure = false
+
+# Logged in user name
+;cookie_username = grafana_user
+
+# How many days an session can be unused before we inactivate it
+;login_remember_days = 7
+
+# How often should the login token be rotated. default to '30m'
+;rotate_cookie_every = 30m
+
+# How long should Grafana keep expired tokens before deleting them
+;delete_expired_token_after_days = 30
+
 #################################### Session ####################################
 [session]
 # Either "memory", "file", "redis", "mysql", "postgres", default is "file"

--- a/pkg/services/auth/auth_token.go
+++ b/pkg/services/auth/auth_token.go
@@ -23,7 +23,6 @@ func init() {

 var (
 	getTime          = time.Now
-	RotateTime       = 2 * time.Minute
 	UrgentRotateTime = 20 * time.Second
 	oneYearInSeconds = 31557600 //used as default maxage for session cookies. We validate/rotate them more often.
 )
@@ -219,7 +218,7 @@ func (s *UserAuthTokenServiceImpl) RefreshToken(token *userAuthToken, clientIP, 
 	needsRotation := false
 	rotatedAt := time.Unix(token.RotatedAt, 0)
 	if token.AuthTokenSeen {
-		needsRotation = rotatedAt.Before(now.Add(-RotateTime))
+		needsRotation = rotatedAt.Before(now.Add(-s.Cfg.LoginCookieRotation))
 	} else {
 		needsRotation = rotatedAt.Before(now.Add(-UrgentRotateTime))
 	}

--- a/pkg/services/auth/auth_token_test.go
+++ b/pkg/services/auth/auth_token_test.go
@@ -297,11 +297,11 @@ func createTestContext(t *testing.T) *testContext {
 			LoginCookieSecure:                 false,
 			LoginCookieMaxDays:                7,
 			LoginDeleteExpiredTokensAfterDays: 30,
+			LoginCookieRotation:               10 * time.Minute,
 		},
 		log: log.New("test-logger"),
 	}

-	RotateTime = 10 * time.Minute
 	UrgentRotateTime = time.Minute
 	setting.LogInRememberDays = 7


--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -229,6 +229,7 @@ type Cfg struct {
 	LoginCookieUsername               string
 	LoginCookieSecure                 bool
 	LoginCookieMaxDays                int
+	LoginCookieRotation               time.Duration
 	LoginDeleteExpiredTokensAfterDays int
 }

@@ -560,6 +561,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	cfg.LoginCookieSecure = login.Key("cookie_secure").MustBool(false)
 	cfg.LoginCookieUsername = login.Key("cookie_username").MustString("grafana_username")
 	cfg.LoginDeleteExpiredTokensAfterDays = login.Key("delete_expired_token_after_days").MustInt(30)
+	cfg.LoginCookieRotation = login.Key("rotate_cookie_every").MustDuration(time.Minute * 30)

 	Env = iniFile.Section("").Key("app_mode").MustString("development")
 	InstanceName = iniFile.Section("").Key("instance_name").MustString("unknown_instance_name")