Currently a user whose unverified grace period expired can still continue to browse the application, as long as they don't close their browser or visit any authentication routes.
We address that by adding the grace period expiration to the session, and logging the user out when it has expired. By storing this in session, we avoid a database query on each call to require_login. We maintain backwards compatibility with existing session values still set to true.
Follow-up to the discussion in https://github.com/jeremyevans/rodauth/discussions/210
Currently a user whose unverified grace period expired can still continue to browse the application, as long as they don't close their browser or visit any authentication routes.
We address that by adding the grace period expiration to the session, and logging the user out when it has expired. By storing this in session, we avoid a database query on each call to require_login. We maintain backwards compatibility with existing session values still set to
true
.