feat: max_age is set during auth request to limit user session

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

Author: JorTurFer

internal/cmd/config/profile/import/template/profile.json

@@ -25,7 +25,7 @@
   "serverbackup_custom_endpoint": "",
   "service_account_custom_endpoint": "",
   "service_enablement_custom_endpoint": "",
-  "session_time_limit": "2h",
+  "session_time_limit": "12h",
   "ske_custom_endpoint": "",
   "sqlserverflex_custom_endpoint": "",
   "token_custom_endpoint": "",

internal/pkg/auth/auth.go

@@ -110,15 +110,23 @@ func GetAccessToken() (string, error) {
 
 func getStartingSessionExpiresAtUnix() (string, error) {
 	sessionStart := time.Now()
-	sessionTimeLimitString := viper.GetString(config.SessionTimeLimitKey)
-	sessionTimeLimit, err := time.ParseDuration(sessionTimeLimitString)
+	sessionTimeLimit, err := getSessionExpiration()
 	if err != nil {
-		return "", fmt.Errorf("parse session time limit \"%s\": %w", sessionTimeLimitString, err)
+		return "", err
 	}
 	sessionExpiresAt := sessionStart.Add(sessionTimeLimit)
 	return strconv.FormatInt(sessionExpiresAt.Unix(), 10), nil
 }
 
+func getSessionExpiration() (time.Duration, error) {
+	sessionTimeLimitString := viper.GetString(config.SessionTimeLimitKey)
+	duration, err := time.ParseDuration(sessionTimeLimitString)
+	if err != nil {
+		return 0, fmt.Errorf("parse session time limit \"%s\": %w", sessionTimeLimitString, err)
+	}
+	return duration, nil
+}
+
 func getEmailFromToken(token string) (string, error) {
 	// We can safely use ParseUnverified because we are not authenticating the user at this point,
 	// We are parsing the token just to get the service account e-mail

internal/pkg/auth/user_login.go

@@ -121,8 +121,13 @@ func AuthorizeUser(p *print.Printer, isReauthentication bool) error {
 	// Initialize the code verifier
 	codeVerifier := oauth2.GenerateVerifier()
 
+	// Generate max age based on the session time limit
+	maxSessionDuration, err := getSessionExpiration()
+	if err != nil {
+		return err
+	}
 	// Construct the authorization URL
-	authorizationURL := conf.AuthCodeURL("", oauth2.S256ChallengeOption(codeVerifier))
+	authorizationURL := conf.AuthCodeURL("", oauth2.S256ChallengeOption(codeVerifier), oauth2.SetAuthURLParam("max_age", fmt.Sprintf("%d", int64(maxSessionDuration.Seconds()))))
 
 	// Start a web server to listen on a callback URL
 	mux := http.NewServeMux()

internal/pkg/config/config.go

@@ -52,7 +52,7 @@ const (
 
 	AsyncDefault            = false
 	RegionDefault           = "eu01"
-	SessionTimeLimitDefault = "2h"
+	SessionTimeLimitDefault = "12h"
 
 	AllowedUrlDomainDefault = "stackit.cloud"
 )

internal/pkg/config/template/test_profile.json

@@ -25,7 +25,7 @@
   "serverbackup_custom_endpoint": "",
   "service_account_custom_endpoint": "",
   "service_enablement_custom_endpoint": "",
-  "session_time_limit": "2h",
+  "session_time_limit": "12h",
   "ske_custom_endpoint": "",
   "sqlserverflex_custom_endpoint": "",
   "token_custom_endpoint": "",