Session Invalidation

[ingalls]

Context

At the moment, if a session cookie is set and invalid, it will block all calls to hecate, not redirecting the user to auth. This forces the user to go and manually delete the cookie before they are able to reauth.

This implements automatic session cookie clearing on any invalid auth attempt that uses a session cookie.

@lizziegooding or @mattciferri can I get a review and have you test/take it out?

Test Instructions

• Run any test that creates the ingalls:yeaheh user/pass

• Start server locally with

  cargo run -- --auth test/fixtures/auth.default.json

• navigate to localhost:8000/admin

• Should be redireted to login page, login with ingalls:yeaheh user:pass

• Run

  psql -U postgres hecate

  DELETE FROM users_tokens

• Refresh the page, you should be deauthenticated and returned to the login page, instead of seeing the white page you may be used to

cc/ @ingalls

[lizziegooding]

Noting that I've added to the work @ingalls did to:

• [x] add a max-age field on the user session cookie so when the cookie is expired, the user will automatically be directed back to the user login page. While the current token invalidation code works, it sends back a 401 without redirecting the user. A subsequent refresh redirects the user to log in, but this extra refresh is somewhat annoying. I'm keeping token invalidation as is in case the user does send an invalid cookie (that isn't necessarily expired), but decided to punt on improving the user flow for this edge case.
• [x] increase the max token expire time from 16 hours to 2 weeks and increase the user session time from 4 hours to 2 weeks. 4 hours was far too short to keep users logged in