Add route config option to avoid extending the user's session timeout

This is necessary for any API that the client may call automatically
(e.g., without user interaction). We don't want those APIs to cause
the user's session to be extended indefinitely.

src/core/server/http/http_server.mocks.ts

@@ -39,6 +39,7 @@ interface RequestFixtureOptions {
  path?: string;
  method?: RouteMethod;
  socket?: Socket;
+ route?: Record<string, any>;
 }
 
 function createKibanaRequestMock({
@@ -49,6 +50,7 @@ function createKibanaRequestMock({
  query = {},
  method = 'get',
  socket = new Socket(),
+ route = { settings: {} },
 }: RequestFixtureOptions = {}) {
  const queryString = querystring.stringify(query);
  return KibanaRequest.from(
@@ -64,7 +66,7 @@ function createKibanaRequestMock({
  query: queryString,
  search: queryString ? `?${queryString}` : queryString,
  },
- route: { settings: {} },
+ route,
  raw: {
  req: { socket },
  },

src/core/server/http/http_server.test.ts

@@ -572,6 +572,7 @@ test('exposes route details of incoming request to a route handler', async () =>
  path: '/',
  options: {
  authRequired: true,
+ extendsSession: true,
  tags: [],
  },
  });

src/core/server/http/http_server.ts

@@ -128,13 +128,15 @@ export class HttpServer {
  for (const router of this.registeredRouters) {
  for (const route of router.getRoutes()) {
  this.log.debug(`registering route handler for [${route.path}]`);
- const { authRequired = true, tags } = route.options;
+ const { authRequired = true, extendsSession = true, tags } = route.options;
+ // Hapi provides the "server.options.app" property to pass in application-specific configuration
  this.server.route({
  handler: route.handler,
  method: route.method,
  path: route.path,
  options: {
  auth: authRequired ? undefined : false,
+ app: { extendsSession },
  tags: tags ? Array.from(tags) : undefined,
  },
  });

src/core/server/http/router/request.ts

@@ -18,7 +18,7 @@
  */
 
 import { Url } from 'url';
-import { Request } from 'hapi';
+import { Request, RouteOptionsApp } from 'hapi';
 
 import { ObjectType, TypeOf } from '@kbn/config-schema';
 
@@ -150,11 +150,13 @@ export class KibanaRequest<Params = unknown, Query = unknown, Body = unknown> {
 
  private getRouteInfo() {
  const request = this[requestSymbol];
+ const app = request.route.settings.app as KibanaRouteOptionsApp;
  return {
  path: request.path,
  method: request.method,
  options: {
  authRequired: request.route.settings.auth !== false,
+ extendsSession: !app || app.extendsSession !== false,
  tags: request.route.settings.tags || [],
  },
  };
@@ -187,3 +189,11 @@ function isRequest(request: any): request is LegacyRequest {
 export function isRealRequest(request: unknown): request is KibanaRequest | LegacyRequest {
  return isKibanaRequest(request) || isRequest(request);
 }
+
+/**
+ * Extend the Hapi interface for application-specific configuration on routes
+ * @internal
+ */
+interface KibanaRouteOptionsApp extends RouteOptionsApp {
+ extendsSession: boolean;
+}

src/core/server/http/router/route.ts

@@ -38,6 +38,15 @@ export interface RouteConfigOptions {
  */
  authRequired?: boolean;
 
+ /**
+ * A flag shows that authentication for a route:
+ * Extends the user's session when true
+ * Does not extend the user's session when false
+ *
+ * Enabled by default.
+ */
+ extendsSession?: boolean;
+
  /**
  * Additional metadata tag strings to attach to the route.
  */

x-pack/plugins/security/server/authentication/authenticator.test.ts

@@ -490,6 +490,54 @@ describe('Authenticator', () => {
  expect(mockSessionStorage.clear).not.toHaveBeenCalled();
  });
 
+ it('does not extend session expiration for routes that opt out.', async () => {
+ const user = mockAuthenticatedUser();
+ const state = { authorization: 'Basic xxx' };
+ const options = { route: { settings: { app: { extendsSession: false } } } };
+ const request = httpServerMock.createKibanaRequest(options);
+ const currentDate = new Date(Date.UTC(2019, 10, 10)).valueOf();
+
+ // Create new authenticator with non-null session `idleTimeout`.
+ const idleTimeout = 3600 * 24;
+ mockOptions = getMockOptions({
+ session: {
+ idleTimeout,
+ lifespan: null,
+ },
+ authc: { providers: ['basic'], oidc: {}, saml: {} },
+ });
+
+ mockSessionStorage = sessionStorageMock.create();
+ mockSessionStorage.get.mockResolvedValue({
+ expires: currentDate + idleTimeout / 2,
+ maxExpires: null,
+ state,
+ provider: 'basic',
+ });
+ mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage);
+
+ authenticator = new Authenticator(mockOptions);
+
+ mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
+ AuthenticationResult.succeeded(user)
+ );
+
+ jest.spyOn(Date, 'now').mockImplementation(() => currentDate);
+
+ const authenticationResult = await authenticator.authenticate(request);
+ expect(authenticationResult.succeeded()).toBe(true);
+ expect(authenticationResult.user).toEqual(user);
+
+ expect(mockSessionStorage.set).toHaveBeenCalledTimes(1);
+ expect(mockSessionStorage.set).toHaveBeenCalledWith({
+ expires: currentDate + idleTimeout / 2,
+ maxExpires: null,
+ state,
+ provider: 'basic',
+ });
+ expect(mockSessionStorage.clear).not.toHaveBeenCalled();
+ });
+
  it('does not extend session expiration past the defined maximum session lifespan.', async () => {
  const user = mockAuthenticatedUser();
  const state = { authorization: 'Basic xxx' };

x-pack/plugins/security/server/authentication/authenticator.ts

@@ -270,7 +270,8 @@ export class Authenticator {
  if (existingSession && shouldClearSession) {
  sessionStorage.clear();
  } else if (!attempt.stateless && authenticationResult.shouldUpdateState()) {
- const { expires, maxExpires } = this.calculateExpiry(existingSession);
+ const shouldExtendSession = request.route.options.extendsSession;
+ const { expires, maxExpires } = this.calculateExpiry(existingSession, shouldExtendSession);
  sessionStorage.set({
  state: authenticationResult.state,
  provider: attempt.provider,
@@ -302,11 +303,13 @@ export class Authenticator {
  ownsSession ? existingSession!.state : null
  );
 
+ const shouldExtendSession = request.route.options.extendsSession;
  this.updateSessionValue(sessionStorage, {
  providerType,
  isSystemAPIRequest: this.options.isSystemAPIRequest(request),
  authenticationResult,
  existingSession: ownsSession ? existingSession : null,
+ shouldExtendSession,
  });
 
  if (
@@ -397,11 +400,13 @@ export class Authenticator {
  providerType,
  authenticationResult,
  existingSession,
+ shouldExtendSession,
  isSystemAPIRequest,
  }: {
  providerType: string;
  authenticationResult: AuthenticationResult;
  existingSession: ProviderSession | null;
+ shouldExtendSession: boolean;
  isSystemAPIRequest: boolean;
  }
  ) {
@@ -425,7 +430,7 @@ export class Authenticator {
  ) {
  sessionStorage.clear();
  } else if (sessionCanBeUpdated) {
- const { expires, maxExpires } = this.calculateExpiry(existingSession);
+ const { expires, maxExpires } = this.calculateExpiry(existingSession, shouldExtendSession);
  sessionStorage.set({
  state: authenticationResult.shouldUpdateState()
  ? authenticationResult.state
@@ -438,8 +443,15 @@ export class Authenticator {
  }
 
  private calculateExpiry(
- existingSession: ProviderSession | null
+ existingSession: ProviderSession | null,
+ shouldExtendSession: boolean
  ): { expires: number | null; maxExpires: number | null } {
+ // if we should not extend the session expiration, and there is an existing session,
+ // then just return the values for the existing session
+ if (!shouldExtendSession && existingSession) {
+ return existingSession;
+ }
+
  const maxExpires = existingSession
  ? existingSession.maxExpires
  : this.lifespan && Date.now() + this.lifespan;