jeremyevans
commented
2 years ago Looks good! I'll test and merge shortly.
Closed janko closed 2 years ago
jeremyevans
commented
2 years ago Looks good! I'll test and merge shortly.
jeremyevans
commented
2 years ago Cherry-picked at 859de3a9e3a74a1449a881f7d269516ff8c25831
Follow-up to the discussion in https://github.com/jeremyevans/rodauth/discussions/210
Currently a user whose unverified grace period expired can still continue to browse the application, as long as they don't close their browser or visit any authentication routes.
We address that by adding the grace period expiration to the session, and logging the user out when it has expired. By storing this in session, we avoid a database query on each call to require_login. We maintain backwards compatibility with existing session values still set to
true.