Closed renderorange closed 1 year ago
this needs more research. crypt-storage-encode is used to encode the secret data to be stored into the database, not into the session. additionally, the session stored into the cookie for the user is set in the config.yml setting, default_duration: 604800
. this value isn't tied to the value in the project config.
there are a couple things to do for this. first is to set the cookie default_duration to match the project config, rather than hard code it to 60480. second is to remove the encode method arg to set the duration of the data being stored in the database. according to documentation, an unset value doesn't set an expiration time on the data itself.
commit dff0924 removes default_duration and expires age settings so the secret expiration will only be controlled by the created_at field.
since removing expire times from the configs, the question now is, should a no expiration setting be allowed in the project configuration? if, say, someone wants to run this project on their own private network, and wants to set no expiration to secrets, should they be allowed?
I think yes.
or they could just not run the cronjob to delete expired secrets. going with that, and will update the documentation.
https://github.com/renderorange/pasteburn/blob/master/lib/Pasteburn/Crypt/Storage.pm#L27
since expire time is a configurable option, it should be passed into the encode method as an argument. as is, expire time is hard coded to 7 days, regardless of the config set by the admin.