From 5457ff3f058a43f8e395630907afd68964bd782e Mon Sep 17 00:00:00 2001
From: rxbn_ <contact@rxbn.de>
Date: Sun, 15 Aug 2021 13:32:20 +0200
Subject: [PATCH] web - add login timeout

---
 bin/config.js               |  1 +
 bin/web/routes/api/login.js | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/bin/config.js b/bin/config.js
index 539ad8e..aa0412d 100644
--- a/bin/config.js
+++ b/bin/config.js
@@ -23,6 +23,7 @@ module.exports = {
 		sessionKey: process.env.SESSION_KEY,
 		cookieKey: process.env.COOKIE_KEY,
 		registration: false, // false -> no registration
+		loginTimeout: 300, // 300 seconds -> 5 minutes
 		cookieMaxAge: 1000*60*60 // one hour (milliseconds*seconds*minutes)
 	},
 	app: {
diff --git a/bin/web/routes/api/login.js b/bin/web/routes/api/login.js
index abd3374..00aaef5 100644
--- a/bin/web/routes/api/login.js
+++ b/bin/web/routes/api/login.js
@@ -1,5 +1,8 @@
 var sanitize = require('mongo-sanitize');
 var speakeasy = require('speakeasy');
+
+var cfg = require(global['__dirname']+'/bin/config');
+
 let db = global['requireModule']('database');
 
 module.exports = {
@@ -23,6 +26,16 @@ module.exports = {
 						]
 					}));
 				}
+
+				if(Date.now() > req.session.user.loginTimeout + cfg.web.loginTimeout) {
+					res.clearCookie('RememberMe');
+					req.session.destroy();
+					return res.type('json').status(401).end(JSON.stringify({
+						status: 401,
+						message: 'msg.auth.login.failed'
+					}));
+				}
+
 				let mfa = sanitize(req.body.mfa);
 				user = await db.getUser(req.session.user.id);
 
@@ -74,6 +87,13 @@ module.exports = {
 								req.session.user.loggedInFull = true;
 								delete req.session.user.login_step;
 								delete req.session.user.login_step_type;
+								delete req.session.user.loginTimeout;
+
+								return res.type('json').end(JSON.stringify({
+									status: 200,
+									message: 'msg.auth.login.successful',
+									type: 'form' // TODO: types - { form, access_app}
+								}));
 							} else {
 								req.session.user.login_step++;
 								req.session.user.login_step_type = user.reply.mfa.data[req.session.user.login_step].type;
@@ -175,6 +195,7 @@ module.exports = {
 			if(!req.session.user.loggedInFull) { // mfa is active
 				req.session.user.login_step_type = user.reply.mfa.data[0].type;
 				req.session.user.login_step = 0;
+				req.session.user.login_timeout = Date.now();
 
 				return res.type('json').end(JSON.stringify({
 					status: 200,