From 252c238e69c2784842cb04de3c73319a8cc5da69 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Wed, 11 Jun 2025 20:40:20 +0200
Subject: [PATCH] Ensure oauth secure cookie expires

If login isn't completed in 10 minutes, expire the cookie and require a
start-over.
---
 pgweb/account/oauthclient.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pgweb/account/oauthclient.py b/pgweb/account/oauthclient.py
index 86e4d64a..8398cbe0 100644
--- a/pgweb/account/oauthclient.py
+++ b/pgweb/account/oauthclient.py
@@ -10,6 +10,7 @@ import hashlib
 import json
 import os
 import sys
+import time
 import urllib.parse
 from Cryptodome import Random
 from Cryptodome.Cipher import AES
@@ -38,6 +39,7 @@ _cookie_key = hashlib.sha512(settings.SECRET_KEY.encode()).digest()
 
 
 def set_encrypted_oauth_cookie_on(response, cookiecontent, path=None):
+    cookiecontent['_ts'] = time.time()
     cookiedata = json.dumps(cookiecontent)
     r = Random.new()
     nonce = r.read(16)
@@ -73,7 +75,13 @@ def get_encrypted_oauth_cookie(request):
         base64.urlsafe_b64decode(parts['t'][0]),
     )
 
-    return json.loads(s)
+    d = json.loads(s)
+    if time.time() - d['_ts'] > 10 * 60:
+        # 10 minutes to complete oauth login
+        raise OAuthException("Cookie expired")
+    del d['_ts']
+
+    return d
 
 
 def delete_encrypted_oauth_cookie_on(response):
-- 
2.39.5