feat: add sliding session timeout with idle and absolute caps

2026-04-26 18:12:37 +09:30
parent 60799bbc52
commit d48e6b2f97
14 changed files with 398 additions and 31 deletions
@@ -140,18 +140,26 @@ class AuthService:
        return user

    @staticmethod
-    def create_session(user, duration_seconds=86400, is_compliance_only=False):
+    def create_session(user, duration_seconds=None, is_compliance_only=False):
        """
        Create a new session for the user.

        Args:
            user: User instance
-            duration_seconds: Session duration in seconds
+            duration_seconds: Session idle timeout in seconds.
+                When None, defaults to SESSION_IDLE_TIMEOUT from config.
+                The absolute lifetime is always enforced by Session.is_active()
+                regardless of this value.
            is_compliance_only: Whether this is a compliance-only session (limited access)

        Returns:
            Session instance
        """
+        from flask import current_app
+
+        if duration_seconds is None:
+            duration_seconds = current_app.config.get("SESSION_IDLE_TIMEOUT", 900)
+
        # Generate session token
        token = secrets.token_urlsafe(32)