Expire registration sessions after an hour

Author: sandhose

crates/handlers/src/views/register/steps/finish.rs

@@ -9,6 +9,7 @@ use axum::{
     response::IntoResponse,
 };
 use axum_extra::TypedHeader;
+use chrono::Duration;
 use mas_axum_utils::{cookies::CookieJar, FancyError, SessionInfoExt as _};
 use mas_data_model::UserAgent;
 use mas_router::{PostAuthAction, UrlBuilder};
@@ -60,6 +61,14 @@ pub(crate) async fn get(
         ));
     }
 
+    // Make sure the registration session hasn't expired
+    // XXX: this duration is hard-coded, could be configurable
+    if clock.now() - registration.created_at > Duration::hours(1) {
+        return Err(FancyError::from(anyhow::anyhow!(
+            "Registration session has expired"
+        )));
+    }
+
     // Check that this registration belongs to this browser
     let registrations = UserRegistrationSessions::load(&cookie_jar);
     if !registrations.contains(&registration) {