Experimental feature to timeout inactive sessions

Author: sandhose

crates/cli/src/commands/server.rs

@@ -166,6 +166,7 @@ impl Options {
                 &mailer,
                 homeserver_connection.clone(),
                 url_builder.clone(),
+                &site_config,
                 shutdown.soft_shutdown_token(),
                 shutdown.task_tracker(),
             )

crates/cli/src/commands/worker.rs

@@ -73,6 +73,7 @@ impl Options {
             &mailer,
             conn,
             url_builder,
+            &site_config,
             shutdown.soft_shutdown_token(),
             shutdown.task_tracker(),
         )

crates/cli/src/util.rs

@@ -12,7 +12,7 @@ use mas_config::{
     EmailTransportKind, ExperimentalConfig, MatrixConfig, PasswordsConfig, PolicyConfig,
     TemplatesConfig,
 };
-use mas_data_model::SiteConfig;
+use mas_data_model::{SessionExpirationConfig, SiteConfig};
 use mas_email::{MailTransport, Mailer};
 use mas_handlers::passwords::PasswordManager;
 use mas_policy::PolicyFactory;
@@ -180,6 +180,15 @@ pub fn site_config_from_config(
     captcha_config: &CaptchaConfig,
 ) -> Result<SiteConfig, anyhow::Error> {
     let captcha = captcha_config_from_config(captcha_config)?;
+    let session_expiration = experimental_config
+        .inactive_session_expiration
+        .as_ref()
+        .map(|c| SessionExpirationConfig {
+            oauth_session_inactivity_ttl: c.expire_oauth_sessions.then_some(c.ttl),
+            compat_session_inactivity_ttl: c.expire_compat_sessions.then_some(c.ttl),
+            user_session_inactivity_ttl: c.expire_user_sessions.then_some(c.ttl),
+        });
+
     Ok(SiteConfig {
         access_token_ttl: experimental_config.access_token_ttl,
         compat_token_ttl: experimental_config.compat_token_ttl,
@@ -198,6 +207,7 @@ pub fn site_config_from_config(
             && account_config.password_recovery_enabled,
         captcha,
         minimum_password_complexity: password_config.minimum_complexity(),
+        session_expiration,
     })
 }
 

crates/config/src/sections/experimental.rs

@@ -11,6 +11,10 @@ use serde_with::serde_as;
 
 use crate::ConfigurationSection;
 
+fn default_true() -> bool {
+    true
+}
+
 fn default_token_ttl() -> Duration {
     Duration::microseconds(5 * 60 * 1000 * 1000)
 }
@@ -19,11 +23,32 @@ fn is_default_token_ttl(value: &Duration) -> bool {
     *value == default_token_ttl()
 }
 
+/// Configuration options for the inactive session expiration feature
+#[serde_as]
+#[derive(Clone, Debug, Deserialize, JsonSchema, Serialize)]
+pub struct InactiveSessionExpirationConfig {
+    /// Time after which an inactive session is automatically finished
+    #[schemars(with = "u64", range(min = 600, max = 7_776_000))]
+    #[serde_as(as = "serde_with::DurationSeconds<i64>")]
+    pub ttl: Duration,
+
+    /// Should compatibility sessions expire after inactivity
+    #[serde(default = "default_true")]
+    pub expire_compat_sessions: bool,
+
+    /// Should OAuth 2.0 sessions expire after inactivity
+    #[serde(default = "default_true")]
+    pub expire_oauth_sessions: bool,
+
+    /// Should user sessions expire after inactivity
+    #[serde(default = "default_true")]
+    pub expire_user_sessions: bool,
+}
+
 /// Configuration sections for experimental options
 ///
 /// Do not change these options unless you know what you are doing.
 #[serde_as]
-#[allow(clippy::struct_excessive_bools)]
 #[derive(Clone, Debug, Deserialize, JsonSchema, Serialize)]
 pub struct ExperimentalConfig {
     /// Time-to-live of access tokens in seconds. Defaults to 5 minutes.
@@ -44,20 +69,29 @@ pub struct ExperimentalConfig {
     )]
     #[serde_as(as = "serde_with::DurationSeconds<i64>")]
     pub compat_token_ttl: Duration,
+
+    /// Experimetal feature to automatically expire inactive sessions
+    ///
+    /// Disabled by default
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub inactive_session_expiration: Option<InactiveSessionExpirationConfig>,
 }
 
 impl Default for ExperimentalConfig {
     fn default() -> Self {
         Self {
             access_token_ttl: default_token_ttl(),
             compat_token_ttl: default_token_ttl(),
+            inactive_session_expiration: None,
         }
     }
 }
 
 impl ExperimentalConfig {
     pub(crate) fn is_default(&self) -> bool {
-        is_default_token_ttl(&self.access_token_ttl) && is_default_token_ttl(&self.compat_token_ttl)
+        is_default_token_ttl(&self.access_token_ttl)
+            && is_default_token_ttl(&self.compat_token_ttl)
+            && self.inactive_session_expiration.is_none()
     }
 }
 

crates/data-model/src/lib.rs

@@ -32,7 +32,7 @@ pub use self::{
         AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, Client, DeviceCodeGrant,
         DeviceCodeGrantState, InvalidRedirectUriError, JwksOrJwksUri, Pkce, Session, SessionState,
     },
-    site_config::{CaptchaConfig, CaptchaService, SiteConfig},
+    site_config::{CaptchaConfig, CaptchaService, SessionExpirationConfig, SiteConfig},
     tokens::{
         AccessToken, AccessTokenState, RefreshToken, RefreshTokenState, TokenFormatError, TokenType,
     },

crates/data-model/src/site_config.rs

@@ -28,6 +28,14 @@ pub struct CaptchaConfig {
     pub secret_key: String,
 }
 
+/// Automatic session expiration configuration
+#[derive(Debug, Clone)]
+pub struct SessionExpirationConfig {
+    pub user_session_inactivity_ttl: Option<Duration>,
+    pub oauth_session_inactivity_ttl: Option<Duration>,
+    pub compat_session_inactivity_ttl: Option<Duration>,
+}
+
 /// Random site configuration we want accessible in various places.
 #[allow(clippy::struct_excessive_bools)]
 #[derive(Debug, Clone)]
@@ -74,4 +82,6 @@ pub struct SiteConfig {
     /// Minimum password complexity, between 0 and 4.
     /// This is a score from zxcvbn.
     pub minimum_password_complexity: u8,
+
+    pub session_expiration: Option<SessionExpirationConfig>,
 }

crates/handlers/src/test_utils.rs

@@ -139,6 +139,7 @@ pub fn test_site_config() -> SiteConfig {
         account_recovery_allowed: true,
         captcha: None,
         minimum_password_complexity: 1,
+        session_expiration: None,
     }
 }
 

crates/storage/src/queue/tasks.rs

@@ -325,6 +325,17 @@ impl InsertableJob for CleanupExpiredTokensJob {
     const QUEUE_NAME: &'static str = "cleanup-expired-tokens";
 }
 
+/// Scheduled job to expire inactive sessions
+///
+/// This job will trigger jobs to expire inactive compat, oauth and user
+/// sessions.
+#[derive(Serialize, Deserialize, Debug, Clone)]
+pub struct ExpireInactiveSessionsJob;
+
+impl InsertableJob for ExpireInactiveSessionsJob {
+    const QUEUE_NAME: &'static str = "expire-inactive-sessions";
+}
+
 /// Expire inactive OAuth 2.0 sessions
 #[derive(Serialize, Deserialize, Debug, Clone)]
 pub struct ExpireInactiveOAuthSessionsJob {

crates/tasks/src/lib.rs

@@ -6,6 +6,7 @@
 
 use std::sync::{Arc, LazyLock};
 
+use mas_data_model::SiteConfig;
 use mas_email::Mailer;
 use mas_matrix::HomeserverConnection;
 use mas_router::UrlBuilder;
@@ -41,6 +42,7 @@ struct State {
     clock: SystemClock,
     homeserver: Arc<dyn HomeserverConnection<Error = anyhow::Error>>,
     url_builder: UrlBuilder,
+    site_config: SiteConfig,
 }
 
 impl State {
@@ -50,13 +52,15 @@ impl State {
         mailer: Mailer,
         homeserver: impl HomeserverConnection<Error = anyhow::Error> + 'static,
         url_builder: UrlBuilder,
+        site_config: SiteConfig,
     ) -> Self {
         Self {
             pool,
             mailer,
             clock,
             homeserver: Arc::new(homeserver),
             url_builder,
+            site_config,
         }
     }
 
@@ -94,6 +98,10 @@ impl State {
     pub fn url_builder(&self) -> &UrlBuilder {
         &self.url_builder
     }
+
+    pub fn site_config(&self) -> &SiteConfig {
+        &self.site_config
+    }
 }
 
 /// Initialise the workers.
@@ -106,6 +114,7 @@ pub async fn init(
     mailer: &Mailer,
     homeserver: impl HomeserverConnection<Error = anyhow::Error> + 'static,
     url_builder: UrlBuilder,
+    site_config: &SiteConfig,
     cancellation_token: CancellationToken,
     task_tracker: &TaskTracker,
 ) -> Result<(), QueueRunnerError> {
@@ -115,6 +124,7 @@ pub async fn init(
         mailer.clone(),
         homeserver,
         url_builder,
+        site_config.clone(),
     );
     let mut worker = self::new_queue::QueueWorker::new(state, cancellation_token).await?;
 
@@ -129,13 +139,20 @@ pub async fn init(
         .register_handler::<mas_storage::queue::SendEmailAuthenticationCodeJob>()
         .register_handler::<mas_storage::queue::SyncDevicesJob>()
         .register_handler::<mas_storage::queue::VerifyEmailJob>()
+        .register_handler::<mas_storage::queue::ExpireInactiveSessionsJob>()
         .register_handler::<mas_storage::queue::ExpireInactiveCompatSessionsJob>()
         .register_handler::<mas_storage::queue::ExpireInactiveOAuthSessionsJob>()
         .register_handler::<mas_storage::queue::ExpireInactiveUserSessionsJob>()
         .add_schedule(
             "cleanup-expired-tokens",
             "0 0 * * * *".parse()?,
             mas_storage::queue::CleanupExpiredTokensJob,
+        )
+        .add_schedule(
+            "expire-inactive-sessions",
+            // Run this job every 15 minutes
+            "30 */15 * * * *".parse()?,
+            mas_storage::queue::ExpireInactiveSessionsJob,
         );
 
     task_tracker.spawn(worker.run());

crates/tasks/src/sessions.rs

@@ -11,7 +11,7 @@ use mas_storage::{
     compat::CompatSessionFilter,
     oauth2::OAuth2SessionFilter,
     queue::{
-        ExpireInactiveCompatSessionsJob, ExpireInactiveOAuthSessionsJob,
+        ExpireInactiveCompatSessionsJob, ExpireInactiveOAuthSessionsJob, ExpireInactiveSessionsJob,
         ExpireInactiveUserSessionsJob, QueueJobRepositoryExt, SyncDevicesJob,
     },
     user::BrowserSessionFilter,
@@ -22,6 +22,58 @@ use crate::{
     State,
 };
 
+#[async_trait]
+impl RunnableJob for ExpireInactiveSessionsJob {
+    async fn run(&self, state: &State, _context: JobContext) -> Result<(), JobError> {
+        let Some(config) = state.site_config().session_expiration.as_ref() else {
+            // Automatic session expiration is disabled
+            return Ok(());
+        };
+
+        let clock = state.clock();
+        let mut rng = state.rng();
+        let now = clock.now();
+        let mut repo = state.repository().await.map_err(JobError::retry)?;
+
+        if let Some(ttl) = config.oauth_session_inactivity_ttl {
+            repo.queue_job()
+                .schedule_job(
+                    &mut rng,
+                    &clock,
+                    ExpireInactiveOAuthSessionsJob::new(now - ttl),
+                )
+                .await
+                .map_err(JobError::retry)?;
+        }
+
+        if let Some(ttl) = config.compat_session_inactivity_ttl {
+            repo.queue_job()
+                .schedule_job(
+                    &mut rng,
+                    &clock,
+                    ExpireInactiveCompatSessionsJob::new(now - ttl),
+                )
+                .await
+                .map_err(JobError::retry)?;
+        }
+
+        if let Some(ttl) = config.user_session_inactivity_ttl {
+            repo.queue_job()
+                .schedule_job(
+                    &mut rng,
+                    &clock,
+                    ExpireInactiveUserSessionsJob::new(now - ttl),
+                )
+                .await
+                .map_err(JobError::retry)?;
+        }
+
+        repo.save().await.map_err(JobError::retry)?;
+
+        Ok(())
+    }
+}
+
 #[async_trait]
 impl RunnableJob for ExpireInactiveOAuthSessionsJob {
     async fn run(&self, state: &State, _context: JobContext) -> Result<(), JobError> {