FIX: increase secure session for OAuth expiration time (#27674)

By default, secure sessions expire after 1 hour. For OAuth authentication it should expire at the same time when the authentication cookie expires - `SiteSetting.maximum_session_age.hours`. It is possible that the forum will not have persistent sessions, based on `persistent_sessions` site setting. In that case, with next username and password authentication we need to reset information about OAuth. Bug introduced in this PR - https://github.com/discourse/discourse/pull/27547
2025-06-05 22:24:47 +08:00 · 2024-07-02 11:43:59 +10:00
parent 592b5ceed1
commit a1d2c46d28
3 changed files with 6 additions and 1 deletions
--- a/spec/requests/omniauth_callbacks_controller_spec.rb
+++ b/spec/requests/omniauth_callbacks_controller_spec.rb
@ -237,6 +237,10 @@ RSpec.describe Users::OmniauthCallbacksController do
        expect(data["can_edit_username"]).to eq(true)
        expect(data["destination_url"]).to eq(destination_url)
        expect(read_secure_session["oauth"]).to eq("true")
+        expect(Discourse.redis.ttl("#{session[:secure_session_id]}oauth")).to be_between(
+          SiteSetting.maximum_session_age.hours.seconds - 10,
+          SiteSetting.maximum_session_age.hours.seconds,
+        )
      end

      it "should return the right response for staged users" do