8000 feat: make authorization cookie default expiration time customizable by Nydauron · Pull Request #389 · TecharoHQ/anubis · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

feat: make authorization cookie default expiration time customizable #389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 1, 2025
Merged

feat: make authorization cookie default expiration time customizable #389

merged 1 commit into from
May 1, 2025

Conversation

Nydauron
Copy link
Contributor
@Nydauron Nydauron commented Apr 28, 2025
edited
Loading

Closes #272. Adds --cookie-expiration-time flag and env variable to allow for customizing the expiration date of authorization cookies. It takes in a duration similar to --og-expiry-time representing the amount of time til the cookie expires.

Checklist:

  • Added a description of the changes to the [Unreleased] section of docs/docs/CHANGELOG.md
  • Added test cases to the relevant parts of the codebase
  • Ran integration tests npm run test:integration (unsupported on Windows, please use WSL)

@Nydauron Nydauron marked this pull request as ready for review April 28, 2025 07:29
@Nydauron Nydauron force-pushed the feat/cookie-expiration-env branch from 2e6d2fa to f2eb45f Compare April 28, 2025 07:33
@Xe Xe self-requested a review April 28, 2025 12:34
compilade
compilade reviewed Apr 28, 2025
View reviewed changes
lib/anubis.go Outdated
Copy link
Contributor
@compilade compilade Apr 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the 24 * 7 * time.Hour in challengeFor also be configurable through this? Otherwise, the challenge will basically be the same per client for the week and the previous solution can be re-used even if the cookie expires quickly.

However, whenever the time rounds in challengeFor, the challenge given is not necessarily the same as the challenge it's verified against by the time it's solved. (e.g. if the expiration time is an hour, then at each hour boundary that problem can occur)

But having the capability to make this happen more often will likely result in finding a solution.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I'm getting what you are putting down. Currently, the only way I can think of entirely mitigating this involves extra state on the backend (e.g. making the challenge based on a random value which is stored server-side).

Another alternative would be to accept a solution before a certain amount time has elapsed (exact time used in the creation of the challenge and the challenge would have to be put into a JWT with a set expiration time and this JWT would have to be sent to the client and sent with the solution on challenge submission), but currently, solving time varies quite a lot between attempts and different devices. While not a perfect solution, the timeout can be set to a very high upper bound and scales exponentially with difficulty (e.g. 16^x), with minimal impact to real users. Based on the numbers we've been gathering, 8-10 mins after issuance when difficulty = 4 seems to be rather generous (99%-ile of clients take about 30 seconds, 99.6%-ile taking around 87 seconds).

JasonLovesDoggo
JasonLovesDoggo reviewed Apr 28, 2025
View reviewed changes
@Nydauron Nydauron force-pushed the feat/cookie-expiration-env branch from f2eb45f to 5d0a026 Compare April 29, 2025 04:04
@Xe Xe added this to the v1.17.1: Asahi sas Brutus: Echo 1 milestone Apr 29, 2025
@Xe Xe force-pushed the feat/cookie-expiration-env branch from 5d0a026 to a02bc11 Compare May 1, 2025 10:00
@Xe
Copy link
Contributor
Xe commented May 1, 2025

I rebased this on main and did manual testing by setting the lifetime absurdly low (30s). Thanks! This is good to ship.

@Xe Xe enabled auto-merge (squash) May 1, 2025 10:01
@Xe Xe merged commit 91275c4 into TecharoHQ:main May 1, 2025
4 checks passed
@BrewTestBot BrewTestBot mentioned this pull request May 1, 2025
Merged
JasonLovesDoggo pushed a commit to JasonLovesDoggo/anubis that referenced this pull request Jun 17, 2025
@Nydauron
feat: make authorization cookie default expiration time customizable (T…
95fdd2b 
…echaroHQ#389)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JasonLovesDoggo JasonLovesDoggo JasonLovesDoggo left review comments

@compilade compilade compilade left review comments

@Xe Xe Xe approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
v1.17.1: Asahi sas Brutus: Echo 1
Development

Successfully merging this pull request may close these issues.

Allow to change cookie expiration time
4 participants
@Nydauron @Xe @JasonLovesDoggo @compilade
0