From 3ea1ede5d72fa6d51accc32d36665f3a48546a57 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@agendaless.com>
Date: Thu, 18 Jun 2009 07:56:09 +0000
Subject: - Add ``reissue_time`` and ``timeout`` parameters to  
 ``repoze.bfg.authentication.AuthTktAuthenticationPolicy``   constructor.  If
 these are passed, cookies will be reset every so   often (cadged from the
 same change to repoze.who lately).

---
 repoze/bfg/authentication.py | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

(limited to 'repoze/bfg/authentication.py')

diff --git a/repoze/bfg/authentication.py b/repoze/bfg/authentication.py
index 6be27f47e..5aca0c110 100644
--- a/repoze/bfg/authentication.py
+++ b/repoze/bfg/authentication.py
@@ -1,3 +1,5 @@
+import time
+
 from codecs import utf_8_decode
 from codecs import utf_8_encode
 from paste.request import get_cookies
@@ -183,6 +185,18 @@ class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy):
        Default: ``False``.  Make the requesting IP address part of
        the authentication data in the cookie.  Optional.
 
+    ``timeout``
+
+       Default: ``None``.  Maximum age in seconds allowed for a cookie
+       to live.  If ``timeout`` is specified, you must also set
+       ``reissue_time`` to a lower value.
+
+    ``reissue_time``
+
+       Default: ``None``.  If ``reissue_time`` is specified, when we
+       encounter a cookie that is older than the reissue time (in
+       seconds), but younger that the ``timeout``, a new cookie will
+       be issued.
     """
     implements(IAuthenticationPolicy)
     def __init__(self,
@@ -190,12 +204,16 @@ class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy):
                  callback=None,
                  cookie_name='repoze.bfg.auth_tkt',
                  secure=False,
-                 include_ip=False):
+                 include_ip=False,
+                 timeout=None,
+                 reissue_time=None):
         self.cookie = AuthTktCookieHelper(
             secret,
             cookie_name=cookie_name,
             secure=secure,
             include_ip=include_ip,
+            timeout=timeout,
+            reissue_time=reissue_time,
             )
         self.callback = callback
 
@@ -223,11 +241,16 @@ class AuthTktCookieHelper(object):
         }
     
     def __init__(self, secret, cookie_name='auth_tkt', secure=False,
-                 include_ip=False):
+                 include_ip=False, timeout=None, reissue_time=None):
         self.secret = secret
         self.cookie_name = cookie_name
         self.include_ip = include_ip
         self.secure = secure
+        if timeout and ( (not reissue_time) or (reissue_time > timeout) ):
+            raise ValueError('When timeout is specified, reissue_time must '
+                             'be set to a lower value')
+        self.timeout = timeout
+        self.reissue_time = reissue_time
 
     # IIdentifier
     def identify(self, request):
@@ -249,6 +272,9 @@ class AuthTktCookieHelper(object):
         except auth_tkt.BadTicket:
             return None
 
+        if self.timeout and ( (timestamp + self.timeout) < time.time() ):
+            return None
+
         userid_typename = 'userid_type:'
         user_data_info = user_data.split('|')
         for datum in filter(None, user_data_info):
-- 
cgit v1.2.3