Add "remember me" option for log in

TUM-Dev / gocast

TUMs lecture streaming service.

https://live.rbg.tum.de/

MIT License

177 stars 41 forks source link

Add "remember me" option for log in #1310

Closed YiranDuan721 closed 5 months ago

YiranDuan721 commented 5 months ago

Motivation and Context

Provide users with the option to make the login status valid for a longer period of time (6 months instead of 1 week). Related: #1302

Description

Passes on whether the user has selected the "remember me" option by setting a cookie, and if so, the jwt cookie set at login is set to be valid for 6 months instead of one week.

Steps for Testing

Logout if necessary, and access the login page
Login via saml or internal login, without selecting the "remember me" option
Check the jwt cookie, it expires in 1 week; the decoded payload also shows an expire date in 1 week
Logout and login again, with "remember me" option checked
Check the jwt cookie, it expires in 6 months; the decoded payload also shows an expire date in 6 months

Screenshots

Change of UI on login page:

github-actions[bot] commented 5 months ago

Your Testserver will be ready at https://1310.test.live.mm.rbg.tum.de in a few minutes.

Logins

| Kurs1 | Kurs2 | Kurs3 | Kurs4 | | ---------------------------------------- | ------------------------- | ------------------------- | ------------------------- | | public | public | loggedin | enrolled | | prof1 | prof1 | prof2 | prof1
prof2 | | student1
student2
student3 | student1
student2 | student2
student3 | student1
student2 |

YiranDuan721 commented 5 months ago

Help wanted: This feature has not been tested under saml login, how can I do it locally or in some other way?

joschahenningsen commented 5 months ago

how can I do it locally or in some other way

This would involve copying the saml configuration part from the production config.yaml as well as the certificates to your local computer (I have done this before but it's not a great & secure way of doing this...)

I'd argue that the saml provider (login.tum.de) also has a remember me button that should be respected by gocast when it's checked and this feature therefore only should apply to the internal login. Then we additionally should implement handling the saml login preference.

YiranDuan721 commented 5 months ago

Thank you!

I'd argue that the saml provider (login.tum.de) also has a remember me button that should be respected by gocast when it's checked and this feature therefore only should apply to the internal login. Then we additionally should implement handling the saml login preference.

But the "remember me" option provided by TUM saml is supposed to be valid only "for the time your browser is opened".

I'd say this seems to go against the requirement mentioned in #1302, since the valid period of the login status is even shorter. (That would come out like Moodle where one needs to login a hundred times per day... Or is that instead the correct configuration for saml login?)

joschahenningsen commented 5 months ago

I don't know if Moodle does this correct. GoCast implements its own session management and I'm all for going against implementation references for SAML if that provides a smoother UX. But maybe we shouldn't issue jwts that are valid for 60 days but instead implement a way of refreshing sessions for logged in users who regularly visit the site. Maybe you can do some research on best practices of managing such sessions?

I imagine there must be a way of having an indefinite session that

is valid for a period of time, e.g. 2 weeks
gets refreshed for another 2 weeks if you visit the website and it will expire within the next week while still being able to invalidate all sessions associated with ones account.

YiranDuan721 commented 5 months ago

Thanks very much for the hint! I'll do further research on this in the next couple of days.