coryHawkvelt/gatehouse-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

session timeout

Browse Source
This commit is contained in:
Cory Hawklvelt
2026-04-27 02:40:00 +09:30
parent c34551b868
commit 9e5427a262
10 changed files with 694 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+37
View File
@@ -64,6 +64,43 @@ This project is built with:
Simply open [Lovable](https://lovable.dev/projects/REPLACE_WITH_PROJECT_ID) and click on Share -> Publish.
## Session Timeout Behavior
This application implements automatic session timeout to align with security best practices (OWASP Session Management Cheat Sheet, NIST 800-63B Section 7.1).
### Backend Configuration
The backend uses a sliding window session model with two independent timeouts:
| Timeout | Default | Description |
|---------|---------|-------------|
| Idle | 15 minutes | If no authenticated request is made within this window, the session expires |
| Absolute | 8 hours | Hard cap from session creation. Activity cannot extend past this point |
Both are configurable via environment variables: `SESSION_IDLE_TIMEOUT` and `SESSION_ABSOLUTE_TIMEOUT` (values in seconds).
### How It Works
- **Sliding Window**: Every authenticated request automatically resets the idle clock
- **Active User**: Session keeps extending up to the 8-hour absolute maximum
- **Idle User**: After 15 minutes of inactivity, the session expires and the next request returns 401
- **Heartbeat**: The frontend sends a periodic `GET /api/v1/auth/me` every 5 minutes to keep sessions alive during passive activities like reading long pages
### Frontend UX
- **Warning Dialog**: When the user is within 3 minutes of session expiry, a warning dialog appears with a countdown timer
- **Extend Session**: Users can click "Keep Me Signed In" to refresh the session via `POST /api/v1/auth/sessions/refresh`
- **Graceful Expiry**: When a session expires, the user is redirected to the login page with a gentle message: "Your session has expired due to inactivity"
- **No Hard Logouts**: The frontend never forcefully logs out an active user; expiry only occurs after API confirmation (401 response)
### API Endpoints
| Endpoint | Purpose |
|----------|---------|
| `POST /api/v1/auth/sessions/refresh` | Explicitly refresh session (extends idle timeout) |
| `GET /api/v1/auth/sessions` | List all active sessions for the user |
| `DELETE /api/v1/auth/sessions/:id` | Revoke a specific session |
## Can I connect a custom domain to my Lovable project?
Yes, you can!