Improve authentication/registration session expiration #287
Description
This issue is imported from pivotal - Originaly created at Sep 2, 2024 by Pieter van der Meulen
Currently during the authentication polling sequence of the web-client, the tiqr GSSP will test if the authentication session is not expired by calling getauthenticationurl(). If the authentications session is expired this will generate errors and the server will return a "timeout" status to the web client.
No expiry check is performed during the enrollment polling sequence, that should be added.
Ideally the UI in the web client should provide feedback to the user that the authentication / enrollment session has expired, for now the goal is that this situation is clearly visible in the logs and can be differentiated from thing like missing cookkies or sessions.
The tiqr GSSP must be able to do handle the timeout situation itself. The expiration times are configured as constants in the Tiqr_Service class and are public. These expiration times can be evaluated in the GSSP itself. To do this, we need to start tracking the start of the authn/registration. And start rejecting the authentication/enrollment a few seconds (e.g. 5 seconds) before the actual expiration.