The Flight SSO service includes expiration of an authentication_token, currently either 24 hours later for regular sign ins, or 100 years later if 'remember me' is selected. This was missed in the current Control implementation of SSO, so the SSO cookie created by Control had no expiry.
This meant SSO cookies were not getting removed when their tokens were expired. In Flight Center this prevented new log ins (unless manually delete the SSO cookie), and in Control would produce a breaking error.
This PR adds logic to determine the token expiry when querying the Flight SSO service, and use it for the resulting flight_sso cookie's expiry. It also includes logic to pass on the 'remember_me' choice to Flight SSO.
Note: This means SSO users are now automatically logged out from Control when this expiry time is reached.
Implementation detail
The expiry time is not explicitly provided in the response body of the back end HTTP request to Flight SSO (probably why it was missed). It is however included in the decoded token itself, under the key 'exp'
In Flight Center a front end request is made to Flight SSO as part of the login workflow, with Flight SSO itself creating the cookie. This approach could be considered if refactoring Control or integrating SSO for other applications
Aims to resolve #32
The Flight SSO service includes expiration of an
authentication_token
, currently either 24 hours later for regular sign ins, or 100 years later if 'remember me' is selected. This was missed in the current Control implementation of SSO, so the SSO cookie created by Control had no expiry.This meant SSO cookies were not getting removed when their tokens were expired. In Flight Center this prevented new log ins (unless manually delete the SSO cookie), and in Control would produce a breaking error.
This PR adds logic to determine the token expiry when querying the Flight SSO service, and use it for the resulting
flight_sso
cookie's expiry. It also includes logic to pass on the 'remember_me' choice to Flight SSO.Note: This means SSO users are now automatically logged out from Control when this expiry time is reached.
Implementation detail
'exp'