added support for para.security.one_session_per_user and per-app conf…

…iguration of session_timeout; added support for ?jwt-cookie= parameter in signin_success paths

para-core/src/main/java/com/erudika/para/core/App.java

@@ -362,6 +362,9 @@ public void setDeleteOn(Long deleteOn) {
 	 * @return period in seconds
 	 */
 	public Long getTokenValiditySec() {
+		if (getSettings().get("session_timeout") instanceof Number) {
+			tokenValiditySec = Math.abs(((Number) getSettings().get("session_timeout")).longValue());
+		}
 		if (tokenValiditySec == null || tokenValiditySec <= 0) {
 			tokenValiditySec = (long) Config.JWT_EXPIRES_AFTER_SEC;
 		}

para-server/src/main/java/com/erudika/para/security/SecurityUtils.java

@@ -269,6 +269,10 @@ public static SignedJWT generateJWToken(User user, App app) {
 				claimsSet.claim("refresh", getNextRefresh(app.getTokenValiditySec()));
 				claimsSet.claim(Config._APPID, app.getId());
 				if (user != null) {
+					if ("true".equals(SecurityUtils.getSettingForApp(app, "security.one_session_per_user", "true"))) {
+						user.resetTokenSecret();
+						Para.getDAO().update(user);
+					}
 					claimsSet.subject(user.getId());
 					claimsSet.claim("idp", user.getIdentityProvider());
 					userSecret = user.getTokenSecret();

para-server/src/main/java/com/erudika/para/security/SimpleAuthenticationSuccessHandler.java

@@ -62,10 +62,18 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
 				if (app.isRootApp() && StringUtils.isBlank(customURI)) {
 					customURI = Config.getConfigParam("security.signin_success", "/");
 				}
+				SignedJWT newJWT = null;
 				if (StringUtils.contains(customURI, "jwt=?")) {
-					SignedJWT newJWT = SecurityUtils.generateJWToken(u, app);
+					newJWT = SecurityUtils.generateJWToken(u, app);
 					customURI = customURI.replace("jwt=?", "jwt=" + newJWT.serialize());
 				}
+				if (StringUtils.contains(customURI, "jwt-cookie=")) {
+					String cookieName = StringUtils.substringAfter(customURI, "jwt-cookie=");
+					cookieName = StringUtils.isBlank(cookieName) ? Config.getRootAppIdentifier() + "-jwt" : cookieName;
+					newJWT = (newJWT == null) ? SecurityUtils.generateJWToken(u, app) : newJWT;
+					HttpUtils.setAuthCookie(cookieName, newJWT.serialize(),
+							app.getTokenValiditySec().intValue(), request, response);
+				}
 				if (!StringUtils.isBlank(customURI)) {
 					redirectStrategy.sendRedirect(request, response, customURI);
 					return;

para-server/src/main/java/com/erudika/para/security/SimpleRememberMeServices.java

@@ -21,11 +21,10 @@
 import com.erudika.para.core.App;
 import com.erudika.para.core.User;
 import com.erudika.para.utils.Config;
+import com.erudika.para.utils.HttpUtils;
 import com.erudika.para.utils.Utils;
-import java.util.TimeZone;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import org.apache.commons.lang3.time.DateFormatUtils;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -91,20 +90,8 @@ protected String retrieveUserName(Authentication authentication) {
 
 	@Override
 	protected void setCookie(String[] tokens, int maxAge, HttpServletRequest request, HttpServletResponse response) {
-		String cookieValue = encodeCookie(tokens);
-		String authCookie = Config.getConfigParam("auth_cookie", Config.PARA.concat("-auth"));
-		String expires = DateFormatUtils.format(System.currentTimeMillis() + (maxAge * 1000),
-				"EEE, dd-MMM-yyyy HH:mm:ss z", TimeZone.getTimeZone("GMT"));
-		String contextPath = request.getContextPath();
-		String path = contextPath.length() > 0 ? contextPath : "/";
-		StringBuilder sb = new StringBuilder();
-		sb.append(authCookie).append("=").append(cookieValue).append(";");
-		sb.append("Path=").append(path).append(";");
-		sb.append("Expires=").append(expires).append(";");
-		sb.append("Max-Age=").append(maxAge).append(";");
-		sb.append("HttpOnly;");
-		sb.append("SameSite=Lax");
-		response.addHeader(javax.ws.rs.core.HttpHeaders.SET_COOKIE, sb.toString());
+		HttpUtils.setAuthCookie(Config.getConfigParam("auth_cookie", Config.PARA.concat("-auth")),
+				encodeCookie(tokens), maxAge, request, response);
 	}
 
 

para-server/src/main/java/com/erudika/para/utils/HttpUtils.java

@@ -17,10 +17,12 @@
  */
 package com.erudika.para.utils;
 
+import java.util.TimeZone;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.time.DateFormatUtils;
 
 /**
  * Various utilities for HTTP stuff - cookies, AJAX, etc.
@@ -136,4 +138,20 @@ public static String getCookieValue(HttpServletRequest req, String name) {
 		}
 		return null;
 	}
+
+	public static void setAuthCookie(String name, String value, int maxAge,
+			HttpServletRequest request, HttpServletResponse response) {
+		String expires = DateFormatUtils.format(System.currentTimeMillis() + (maxAge * 1000),
+				"EEE, dd-MMM-yyyy HH:mm:ss z", TimeZone.getTimeZone("GMT"));
+		String contextPath = request.getContextPath();
+		String path = contextPath.length() > 0 ? contextPath : "/";
+		StringBuilder sb = new StringBuilder();
+		sb.append(name).append("=").append(value).append(";");
+		sb.append("Path=").append(path).append(";");
+		sb.append("Expires=").append(expires).append(";");
+		sb.append("Max-Age=").append(maxAge).append(";");
+		sb.append("HttpOnly;");
+		sb.append("SameSite=Lax");
+		response.addHeader(javax.ws.rs.core.HttpHeaders.SET_COOKIE, sb.toString());
+	}
 }