Add auth-cookie-session-timeout flag

Related to: https://gitlab.com/gitlab-org/gitlab-pages/-/issues/806
Changelog: added

6 files changed, 37 insertions, 28 deletions

diff --git a/app.go b/app.go
index 09ac5407..911df905 100644
--- a/app.go
+++ b/app.go
@@ -391,7 +391,8 @@ func (a *theApp) setAuth(config *cfg.Config) error {
 
 	var err error
 	a.Auth, err = auth.New(config.General.Domain, config.Authentication.Secret, config.Authentication.ClientID, config.Authentication.ClientSecret,
-		config.Authentication.RedirectURI, config.GitLab.InternalServer, config.GitLab.PublicServer, config.Authentication.Scope, config.Authentication.Timeout)
+		config.Authentication.RedirectURI, config.GitLab.InternalServer, config.GitLab.PublicServer, config.Authentication.Scope,
+		config.Authentication.Timeout, config.Authentication.CookieSessionTimeout)
 	if err != nil {
 		return fmt.Errorf("could not initialize auth package: %w", err)
 	}
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 3014936b..b4dc73aa 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -37,7 +37,6 @@ const (
 	tokenURLTemplate       = "%s/oauth/token"
 	callbackPath           = "/auth"
 	authorizeProxyTemplate = "%s?domain=%s&state=%s"
-	authSessionMaxAge      = 60 * 10 // 10 minutes
 
 	failAuthErrMsg         = "failed to authenticate request"
 	fetchAccessTokenErrMsg = "fetching access token failed"
@@ -66,6 +65,7 @@ type Auth struct {
 	apiClient            *http.Client
 	store                sessions.Store
 	now                  func() time.Time // allows to stub time.Now() easily in tests
+	cookieSessionTimeout time.Duration
 }
 
 type tokenResponse struct {
@@ -637,7 +637,7 @@ func generateKeys(secret string, count int) ([][]byte, error) {
 }
 
 // New when authentication supported this will be used to create authentication handler
-func New(pagesDomain, storeSecret, clientID, clientSecret, redirectURI, internalGitlabServer, publicGitlabServer, authScope string, authTimeout time.Duration) (*Auth, error) {
+func New(pagesDomain, storeSecret, clientID, clientSecret, redirectURI, internalGitlabServer, publicGitlabServer, authScope string, authTimeout, cookieSessionTimeout time.Duration) (*Auth, error) {
 	// generate 3 keys, 2 for the cookie store and 1 for JWT signing
 	keys, err := generateKeys(storeSecret, 3)
 	if err != nil {
@@ -655,11 +655,12 @@ func New(pagesDomain, storeSecret, clientID, clientSecret, redirectURI, internal
 			Timeout:   authTimeout,
 			Transport: httptransport.DefaultTransport,
 		},
-		store:         sessions.NewCookieStore(keys[0], keys[1]),
-		authSecret:    storeSecret,
-		authScope:     authScope,
-		jwtSigningKey: keys[2],
-		jwtExpiry:     time.Minute,
-		now:           time.Now,
+		store:                sessions.NewCookieStore(keys[0], keys[1]),
+		authSecret:           storeSecret,
+		authScope:            authScope,
+		jwtSigningKey:        keys[2],
+		jwtExpiry:            time.Minute,
+		now:                  time.Now,
+		cookieSessionTimeout: cookieSessionTimeout,
 	}, nil
 }
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
index 4236d695..47a43d4c 100644
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -29,7 +29,9 @@ func createTestAuth(t *testing.T, internalServer string, publicServer string) *A
 		"http://pages.gitlab-example.com/auth",
 		internalServer,
 		publicServer,
-		"scope", 5*time.Second)
+		"scope",
+		5*time.Second,
+		10*time.Minute)
 
 	require.NoError(t, err)
 
diff --git a/internal/auth/session.go b/internal/auth/session.go
index d6402bf9..5bfc8e03 100644
--- a/internal/auth/session.go
+++ b/internal/auth/session.go
@@ -30,7 +30,7 @@ func (a *Auth) getSessionFromStore(r *http.Request) (*hostSession, error) {
 		session.Options.Path = "/"
 		session.Options.HttpOnly = true
 		session.Options.Secure = request.IsHTTPS(r)
-		session.Options.MaxAge = authSessionMaxAge
+		session.Options.MaxAge = int(a.cookieSessionTimeout.Seconds())
 
 		if session.Values[sessionHostKey] == nil || session.Values[sessionHostKey] != r.Host {
 			session.Values = make(map[interface{}]interface{})
diff --git a/internal/config/config.go b/internal/config/config.go
index 50146011..5a1736ec 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -88,12 +88,13 @@ type ArtifactsServer struct {
 // Auth groups settings related to configuring Authentication with
 // GitLab
 type Auth struct {
-	Secret       string
-	ClientID     string
-	ClientSecret string
-	RedirectURI  string
-	Scope        string
-	Timeout      time.Duration
+	Secret               string
+	ClientID             string
+	ClientSecret         string
+	RedirectURI          string
+	Scope                string
+	Timeout              time.Duration
+	CookieSessionTimeout time.Duration
 }
 
 // Cache configuration for GitLab API
@@ -318,12 +319,13 @@ func loadConfig() (*Config, error) {
 			URL:            *artifactsServer,
 		},
 		Authentication: Auth{
-			Secret:       *secret,
-			ClientID:     *clientID,
-			ClientSecret: *clientSecret,
-			RedirectURI:  *redirectURI,
-			Scope:        *authScope,
-			Timeout:      *authTimeout,
+			Secret:               *secret,
+			ClientID:             *clientID,
+			ClientSecret:         *clientSecret,
+			RedirectURI:          *redirectURI,
+			Scope:                *authScope,
+			Timeout:              *authTimeout,
+			CookieSessionTimeout: *authCookieSessionTimeout,
 		},
 		Log: Log{
 			Format:  *logFormat,
@@ -440,6 +442,7 @@ func LogConfig(config *Config) {
 		"enable-disk":                    config.GitLab.EnableDisk,
 		"auth-redirect-uri":              config.Authentication.RedirectURI,
 		"auth-scope":                     config.Authentication.Scope,
+		"auth-cookie-session-timeout":    config.Authentication.CookieSessionTimeout,
 		"max-conns":                      config.General.MaxConns,
 		"max-uri-length":                 config.General.MaxURILength,
 		"zip-cache-expiration":           config.Zip.ExpirationInterval,
diff --git a/internal/config/flags.go b/internal/config/flags.go
index 9d79f0bc..4b8ee7a0 100644
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@@ -68,11 +68,13 @@ var (
 
 	enableDisk = flag.Bool("enable-disk", true, "Enable disk access, shall be disabled in environments where shared disk storage isn't available")
 
-	clientID             = flag.String("auth-client-id", "", "GitLab application Client ID")
-	clientSecret         = flag.String("auth-client-secret", "", "GitLab application Client Secret")
-	redirectURI          = flag.String("auth-redirect-uri", "", "GitLab application redirect URI")
-	authScope            = flag.String("auth-scope", "api", "Scope to be used for authentication (must match GitLab Pages OAuth application settings)")
-	authTimeout          = flag.Duration("auth-timeout", 5*time.Second, "GitLab application client timeout for authentication")
+	clientID                 = flag.String("auth-client-id", "", "GitLab application Client ID")
+	clientSecret             = flag.String("auth-client-secret", "", "GitLab application Client Secret")
+	redirectURI              = flag.String("auth-redirect-uri", "", "GitLab application redirect URI")
+	authScope                = flag.String("auth-scope", "api", "Scope to be used for authentication (must match GitLab Pages OAuth application settings)")
+	authTimeout              = flag.Duration("auth-timeout", 5*time.Second, "GitLab application client timeout for authentication")
+	authCookieSessionTimeout = flag.Duration("auth-cookie-session-timeout", 10*time.Minute, "Authentication cookie session timeout (truncated to seconds). A zero value means the cookie will be deleted after the browser session ends")
+
 	maxConns             = flag.Int("max-conns", 0, "Limit on the number of concurrent connections to the HTTP, HTTPS or proxy listeners, 0 for no limit")
 	maxURILength         = flag.Int("max-uri-length", 1024, "Limit the length of URI, 0 for unlimited.")
 	insecureCiphers      = flag.Bool("insecure-ciphers", false, "Use default list of cipher suites, may contain insecure ones like 3DES and RC4")