fix: route user to error page if login is timed out (#465)

* fix: route user to error page if login is timed out

* fix: use 408 for timeout

Author: NithinKuruba

docker/otp-provider/src/config.ts

@@ -25,6 +25,6 @@ export const config = {
   OTP_VALIDITY_MINUTES: process.env.OTP_VALIDITY_MINUTES || '5',
   OTP_ATTEMPTS_ALLOWED: process.env.OTP_ATTEMPTS_ALLOWED || '5',
   OTP_RESENDS_ALLOWED_PER_DAY: process.env.OTP_RESENDS_ALLOWED_PER_DAY || '4',
-  OTP_RESEND_INTERVAL_MINUTES: process.env.OTP_RESEND_INTERVAL_MINUTES || '[1,2,5,60]',
+  OTP_RESEND_INTERVAL_MINUTES: process.env.OTP_RESEND_INTERVAL_MINUTES || '[1,2,5,25]',
   COOKIE_SECRETS: process.env.COOKIE_SECRETS || 's3cr3t1,s3cr3t1,s3cr3t2',
 };

docker/otp-provider/src/controllers/auth-controller.ts

@@ -4,6 +4,8 @@ import { requestNewOtp, validateOtp } from '../services/otp';
 import { canRequestOtp, secondsRemainingToRequestNewOtp } from '../utils/otp';
 import { emailValidator, otpValidator } from '../utils/shared';
 import { errors } from '../modules/errors';
+import { getInteractionById } from '../modules/sequelize/queries/interaction';
+import { LoginTimeoutError } from '../utils/helpers';
 
 export const authorize = async (oidcProvider: Provider) => {
   return async (req: Request, res: Response, next: NextFunction) => {
@@ -35,6 +37,8 @@ export const authorize = async (oidcProvider: Provider) => {
 export const generateOtp = async (oidcProvider: Provider) => {
   return async (req: Request, res: Response, next: NextFunction) => {
     try {
+      if (req.params?.uid && (await isInteractionSessionExpired(String(req.params?.uid))))
+        throw new LoginTimeoutError();
       const {
         uid,
         prompt: { name },
@@ -54,7 +58,7 @@ export const generateOtp = async (oidcProvider: Provider) => {
             error,
             nonce: res.locals.cspNonce,
             waitTime: 0,
-          })
+          });
         }
 
         if (!error) {
@@ -99,7 +103,6 @@ export const generateOtp = async (oidcProvider: Provider) => {
           },
         } as any);
 
-
         return res.render('otp', {
           uid,
           email,
@@ -119,6 +122,9 @@ export const generateOtp = async (oidcProvider: Provider) => {
 export const login = async (oidcProvider: Provider) => {
   return async (req: Request, res: Response, next: NextFunction) => {
     try {
+      if (req.params?.uid && (await isInteractionSessionExpired(String(req.params?.uid))))
+        throw new LoginTimeoutError();
+
       const {
         uid,
         prompt: { name },
@@ -131,20 +137,21 @@ export const login = async (oidcProvider: Provider) => {
 
       if (name === 'login') {
         let validatedOtp = { verified: false, attemptsLeft: 0, expired: false };
-        const { code1, code2, code3, code4, code5, code6,  } = req.body;
+        const { code1, code2, code3, code4, code5, code6 } = req.body;
         const email = (oidcResult?.login?.email as string) || '';
 
         // Run form validation server side
         const [otp, otpError] = otpValidator([code1, code2, code3, code4, code5, code6]);
-        if (otpError) return res.render('otp', {
+        if (otpError)
+          return res.render('otp', {
             uid,
             email,
             nonce: res.locals.cspNonce,
             waitTime: time,
             disableResend: false,
             disableForm: false,
-            error: otpError
-        });
+            error: otpError,
+          });
 
         let disableResend = false;
         validatedOtp = await validateOtp(otp as string, email);
@@ -210,3 +217,9 @@ export const abortLogin = async (oidcProvider: Provider) => {
     }
   };
 };
+
+const isInteractionSessionExpired = async (interactionUid: string) => {
+  const interaction = await getInteractionById(interactionUid);
+  if (interaction && new Date().getTime() >= new Date(interaction.expiresAt).getTime()) return true;
+  return false;
+};

docker/otp-provider/src/modules/oidc-provider.ts

@@ -121,8 +121,8 @@ export const getConfig = (): Configuration => {
       Session: 36000, // 10 hours
       AccessToken: 300, // 5 minutes
       AuthorizationCode: 60, // 1 minute
-      RefreshToken: 1800, // 2 seconds
-      Interaction: 36000, // 10 hours
+      RefreshToken: 1800, // 30 minutes
+      Interaction: 1800, // 30 minutes
       IdToken: 300, // 5 minutes
       //Grant controls how long the authorization grant (which includes tokens and scopes) is valid. This affects token reuse and refresh behavior.
       Grant: 36000, // 10 hours - client session max

docker/otp-provider/src/modules/sequelize/queries/interaction.ts

@@ -0,0 +1,9 @@
+import { QueryOptions } from 'sequelize';
+import models from '../models';
+
+export const getInteractionById = async (id: string, options: QueryOptions = { raw: true }) => {
+  return await models.get('Interaction').findOne({
+    where: { id },
+    ...options,
+  });
+};

docker/otp-provider/src/routes/interaction.ts

@@ -1,7 +1,7 @@
 import express, { NextFunction, Request, Response, urlencoded } from 'express';
 import Provider from 'oidc-provider';
 import { authorize, generateOtp, login, abortLogin } from '../controllers/auth-controller';
-import { setNoCache } from '../utils/helpers';
+import { LoginTimeoutError, setNoCache } from '../utils/helpers';
 import { errors } from 'oidc-provider';
 import logger from '../modules/winston.config';
 
@@ -18,7 +18,10 @@ export const oidcRouter = async (oidcProvider: Provider) => {
       logger.error('OIDC interaction error:', err);
       let errorMessage = 'An unexpected error occurred';
       let errorStatus = 500;
-      if (err instanceof errors.InvalidRequest) {
+      if (err instanceof LoginTimeoutError) {
+        errorStatus = err.status || 408;
+        errorMessage = err.message;
+      } else if (err instanceof errors.InvalidRequest) {
         errorMessage = 'Invalid request parameters sent.';
         errorStatus = err.status || 400;
       } else if (err instanceof errors.InvalidGrant) {

docker/otp-provider/src/utils/helpers.ts

@@ -27,3 +27,15 @@ export const setNoCache = (req: Request, res: Response, next: NextFunction) => {
   res.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
   next();
 };
+
+export class LoginTimeoutError extends Error {
+  status: number;
+  constructor(
+    message = 'Your session has timed out, please close this window and log in again using a new browser window',
+  ) {
+    super(message);
+    this.name = 'LoginTimeoutError';
+    this.status = 408;
+    Object.setPrototypeOf(this, LoginTimeoutError.prototype);
+  }
+}