"Remember me" feature

api/users.go

@@ -87,7 +87,7 @@ func (r usersRoutes) impersonateUser(c *gin.Context) {
 		})
 		return
 	}
-	tools.StartSession(c, &tools.SessionData{Userid: u.ID})
+	tools.StartSession(c, &tools.SessionData{Userid: u.ID}, false)
 }
 
 func (r usersRoutes) updateUser(c *gin.Context) {

tools/middlewares.go

@@ -6,6 +6,7 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/TUM-Dev/gocast/dao"
 	"github.com/TUM-Dev/gocast/model"
@@ -15,6 +16,11 @@ import (
 	"github.com/golang-jwt/jwt/v4"
 )
 
+const (
+	MaxTokenLifetimeWithRememberMeInDays = 180
+	MinUpdateIntervalInHours             = 1
+)
+
 var templateExecutor TemplateExecutor
 
 // SetTemplateExecutor sets the templates and template executor for the middlewares to execute error pages
@@ -25,8 +31,10 @@ func SetTemplateExecutor(e TemplateExecutor) {
 // JWTClaims are the claims contained in a session
 type JWTClaims struct {
 	*jwt.RegisteredClaims
+	UpdatedAt     *jwt.NumericDate
 	UserID        uint
 	SamlSubjectID *string // identifier of the SAML session (if any)
+	RememberMe    bool
 }
 
 func InitContext(daoWrapper dao.DaoWrapper) gin.HandlerFunc {
@@ -62,6 +70,28 @@ func InitContext(daoWrapper dao.DaoWrapper) gin.HandlerFunc {
 			return
 		}
 
+		claims := token.Claims.(*JWTClaims)
+
+		// in case when the user has selected "remember me" when logging in, prolong the validity of the token
+		// but only when the token has not been updated during the last 1 hour
+		if claims.RememberMe && time.Since(claims.UpdatedAt.Time).Hours() > MinUpdateIntervalInHours {
+			// remove jwt cookie older than MaxTokenAgeWithRefreshInDays
+			expiresAt := &jwt.NumericDate{Time: time.Now().Add(time.Hour * 24 * MaxTokenAgeInDays)}
+			if expiresAt.Sub(claims.IssuedAt.Time).Hours() > MaxTokenLifetimeWithRememberMeInDays*24 {
+				c.SetCookie("jwt", "", -1, "/", "", false, true)
+				return
+			}
+			claims.ExpiresAt = expiresAt
+			claims.UpdatedAt = &jwt.NumericDate{Time: time.Now()}
+
+			token = jwt.NewWithClaims(token.Method, claims)
+			signedToken, err := token.SignedString(Cfg.GetJWTKey())
+			if err == nil {
+				c.SetCookie("jwt", signedToken, 60*60*24*MaxTokenAgeInDays, "/", "", CookieSecure, true)
+			}
+			logger.Error(signedToken)
+		}
+
 		user, err := daoWrapper.UsersDao.GetUserByID(c, token.Claims.(*JWTClaims).UserID)
 		if err != nil {
 			c.Set("TUMLiveContext", TUMLiveContext{})

tools/session.go

@@ -7,29 +7,36 @@ import (
 	"github.com/golang-jwt/jwt/v4"
 )
 
+const (
+	MaxTokenAgeInDays = 7
+)
+
 type SessionData struct {
 	Userid        uint
 	SamlSubjectID *string
 }
 
-func StartSession(c *gin.Context, data *SessionData) {
-	token, err := createToken(data.Userid, data.SamlSubjectID)
+func StartSession(c *gin.Context, data *SessionData, rememberMe bool) {
+	token, err := createToken(data.Userid, data.SamlSubjectID, rememberMe)
 	if err != nil {
 		logger.Error("Could not create token", "err", err)
 		return
 	}
-	c.SetCookie("jwt", token, 60*60*24*7, "/", "", CookieSecure, true)
+	c.SetCookie("jwt", token, 60*60*24*MaxTokenAgeInDays, "/", "", CookieSecure, true)
 }
 
-func createToken(user uint, samlSubjectID *string) (string, error) {
+func createToken(user uint, samlSubjectID *string, rememberMe bool) (string, error) {
 	t := jwt.New(jwt.GetSigningMethod("RS256"))
 
 	t.Claims = &JWTClaims{
 		RegisteredClaims: &jwt.RegisteredClaims{
-			ExpiresAt: &jwt.NumericDate{Time: time.Now().Add(time.Hour * 24 * 7)}, // Token expires in one week
+			IssuedAt:  &jwt.NumericDate{Time: time.Now()},
+			ExpiresAt: &jwt.NumericDate{Time: time.Now().Add(time.Hour * 24 * MaxTokenAgeInDays)}, // Token expires in one week
 		},
+		UpdatedAt:     &jwt.NumericDate{Time: time.Now()},
 		UserID:        user,
 		SamlSubjectID: samlSubjectID,
+		RememberMe:    rememberMe,
 	}
 	return t.SignedString(Cfg.GetJWTKey())
 }

web/template/login.gohtml

@@ -24,6 +24,13 @@
     <style>[x-cloak] {
             display: none !important;
         }</style>
+
+    <script>
+        window.onload = function() {
+            document.cookie = 'rememberMe=; path=/; max-age=-1';
+        };
+    </script>
+
 </head>
 <body class="h-screen flex flex-col items-stretch tum-live-bg">
 <header class="text-3 flex z-50 w-full items-center px-3 py-2 h-16 justify-between shrink-0 grow-0">
@@ -39,6 +46,19 @@
         <header>
             <h1 class="font-bold text-3">Login</h1>
         </header>
+
+        <div x-show="!resetPassword" class="flex">
+            <input type="checkbox" name="rememberMe" id="rememberMe">
+            <label for="rememberMe" class="text-5 text-sm px-2">Remember me for 6 months</label>
+            <script>
+                document.getElementById('rememberMe').addEventListener('change', function() {
+                    document.cookie = "rememberMe=" + this.checked + "; path=/; max-age=600";
+                    // The status whether "remember me" is checked is saved in a cookie, valid for 10 minutes
+                    // This cookie will be deleted once logged in
+                });
+            </script>
+        </div>
+
         {{if .UseSAML}}
             <article class="text-center w-full">
                 <a href="/saml/out"

web/user.go

@@ -58,7 +58,15 @@ func (r mainRoutes) LoginHandler(c *gin.Context) {
 
 // HandleValidLogin starts a session and redirects the user to the page they were trying to access.
 func HandleValidLogin(c *gin.Context, data *tools.SessionData) {
-	tools.StartSession(c, data)
+	rememberMeCookie, err := c.Request.Cookie("rememberMe")
+	rememberMe := false
+	if err == nil && rememberMeCookie.Value == "true" {
+		rememberMe = true
+	}
+	// Delete cookie that was used for saving the status of "remember me"
+	c.SetCookie("rememberMe", "", -1, "/", "", tools.CookieSecure, true)
+
+	tools.StartSession(c, data, rememberMe)
 	redirURL, err := c.Cookie(redirCookieName)
 	if err != nil {
 		redirURL = "/" // Fallback in case no cookie is present: Redirect to index page