Implements new session logout

Author: samejr

apps/webapp/app/root.tsx

@@ -15,6 +15,8 @@ import { env } from "./env.server";
 import { featuresForRequest } from "./features.server";
 import { usePostHog } from "./hooks/usePostHog";
 import { getUser } from "./services/session.server";
+import { commitAuthenticatedSessionLazy } from "./services/sessionDuration.server";
+import { getUserSession } from "./services/sessionStorage.server";
 import { getTimezonePreference } from "./services/preferences/uiPreferences.server";
 import { appEnvTitleTag } from "./utils";
 
@@ -58,9 +60,22 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
     websiteId: env.KAPA_AI_WEBSITE_ID,
   };
 
+  const user = await getUser(request);
+
+  const headers = new Headers();
+  headers.append("Set-Cookie", await commitSession(session));
+
+  // Lazy-backfill the auth session's `issuedAt` for cookies issued before this
+  // feature shipped, and refresh the cookie's Max-Age to track the user's
+  // current effective session duration.
+  if (user) {
+    const authSession = await getUserSession(request);
+    headers.append("Set-Cookie", await commitAuthenticatedSessionLazy(authSession, user.id));
+  }
+
   return typedjson(
     {
-      user: await getUser(request),
+      user,
       toastMessage,
       posthogProjectKey,
       features,
@@ -70,7 +85,7 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
       kapa,
       timezone,
     },
-    { headers: { "Set-Cookie": await commitSession(session) } }
+    { headers }
   );
 };
 

apps/webapp/app/routes/account.security/route.tsx

@@ -7,9 +7,16 @@ import {
 import { Header2 } from "~/components/primitives/Headers";
 import { NavBar, PageTitle } from "~/components/primitives/PageHeader";
 import { MfaSetup } from "../resources.account.mfa.setup/route";
+import { SessionDurationSetting } from "../resources.account.session-duration/SessionDurationSetting";
 import { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { requireUser } from "~/services/session.server";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
+import { prisma } from "~/db.server";
+import {
+  getAllowedSessionOptions,
+  getOrganizationSessionCap,
+  DEFAULT_SESSION_DURATION_SECONDS,
+} from "~/services/sessionDuration.server";
 
 export const meta: MetaFunction = () => {
   return [
@@ -22,13 +29,28 @@ export const meta: MetaFunction = () => {
 export async function loader({ request }: LoaderFunctionArgs) {
   const user = await requireUser(request);
 
+  const [userRecord, orgCapSeconds] = await Promise.all([
+    prisma.user.findUnique({
+      where: { id: user.id },
+      select: { sessionDuration: true },
+    }),
+    getOrganizationSessionCap(user.id),
+  ]);
+
+  const sessionDuration = userRecord?.sessionDuration ?? DEFAULT_SESSION_DURATION_SECONDS;
+  const sessionDurationOptions = getAllowedSessionOptions(orgCapSeconds, sessionDuration);
+
   return typedjson({
     user,
+    sessionDuration,
+    sessionDurationOptions,
+    orgCapSeconds,
   });
 }
 
 export default function Page() {
-  const { user } = useTypedLoaderData<typeof loader>();
+  const { user, sessionDuration, sessionDurationOptions, orgCapSeconds } =
+    useTypedLoaderData<typeof loader>();
 
   return (
     <PageContainer>
@@ -42,6 +64,13 @@ export default function Page() {
             <Header2>Security</Header2>
           </div>
           <MfaSetup isEnabled={!!user.mfaEnabledAt} />
+          <div className="mt-6 w-full border-t border-grid-dimmed pt-6">
+            <SessionDurationSetting
+              currentValue={sessionDuration}
+              options={sessionDurationOptions}
+              orgCapSeconds={orgCapSeconds}
+            />
+          </div>
         </MainHorizontallyCenteredContainer>
       </PageBody>
     </PageContainer>

apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.session-duration.ts

@@ -0,0 +1,32 @@
+import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
+
+const ParamsSchema = z.object({
+  organizationId: z.string(),
+});
+
+const RequestBodySchema = z.object({
+  /**
+   * Maximum session lifetime (seconds) for members of this organization, or
+   * null to remove the cap. When set, this caps each member's
+   * `User.sessionDuration` and is enforced on the user's next request.
+   */
+  maxSessionDuration: z.number().int().positive().nullable(),
+});
+
+export async function action({ request, params }: ActionFunctionArgs) {
+  await requireAdminApiRequest(request);
+
+  const { organizationId } = ParamsSchema.parse(params);
+  const body = RequestBodySchema.parse(await request.json());
+
+  const organization = await prisma.organization.update({
+    where: { id: organizationId },
+    data: { maxSessionDuration: body.maxSessionDuration },
+    select: { id: true, slug: true, maxSessionDuration: true },
+  });
+
+  return json({ success: true, organization });
+}

apps/webapp/app/routes/auth.github.callback.tsx

@@ -5,6 +5,7 @@ import { getSession, redirectWithErrorMessage } from "~/models/message.server";
 import { authenticator } from "~/services/auth.server";
 import { setLastAuthMethodHeader } from "~/services/lastAuthMethod.server";
 import { commitSession } from "~/services/sessionStorage.server";
+import { commitAuthenticatedSession } from "~/services/sessionDuration.server";
 import { trackAndClearReferralSource } from "~/services/referralSource.server";
 import { redirectCookie } from "./auth.github";
 import { sanitizeRedirectPath } from "~/utils";
@@ -52,7 +53,7 @@ export let loader: LoaderFunction = async ({ request }) => {
   session.set(authenticator.sessionKey, auth);
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, auth.userId));
   headers.append("Set-Cookie", await setLastAuthMethodHeader("github"));
 
   await trackAndClearReferralSource(request, auth.userId, headers);

apps/webapp/app/routes/auth.google.callback.tsx

@@ -5,6 +5,7 @@ import { getSession, redirectWithErrorMessage } from "~/models/message.server";
 import { authenticator } from "~/services/auth.server";
 import { setLastAuthMethodHeader } from "~/services/lastAuthMethod.server";
 import { commitSession } from "~/services/sessionStorage.server";
+import { commitAuthenticatedSession } from "~/services/sessionDuration.server";
 import { trackAndClearReferralSource } from "~/services/referralSource.server";
 import { redirectCookie } from "./auth.google";
 import { sanitizeRedirectPath } from "~/utils";
@@ -52,7 +53,7 @@ export let loader: LoaderFunction = async ({ request }) => {
   session.set(authenticator.sessionKey, auth);
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, auth.userId));
   headers.append("Set-Cookie", await setLastAuthMethodHeader("google"));
 
   await trackAndClearReferralSource(request, auth.userId, headers);

apps/webapp/app/routes/login.mfa/route.tsx

@@ -21,6 +21,7 @@ import { Paragraph } from "~/components/primitives/Paragraph";
 import { Spinner } from "~/components/primitives/Spinner";
 import { authenticator } from "~/services/auth.server";
 import { commitSession, getUserSession } from "~/services/sessionStorage.server";
+import { commitAuthenticatedSession } from "~/services/sessionDuration.server";
 import { getSession as getMessageSession } from "~/models/message.server";
 import { MultiFactorAuthenticationService } from "~/services/mfa/multiFactorAuthentication.server";
 import { redirectWithErrorMessage, redirectBackWithErrorMessage } from "~/models/message.server";
@@ -162,7 +163,7 @@ async function completeLogin(request: Request, session: Session, userId: string)
   session.unset("pending-mfa-redirect-to");
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, userId));
 
   await trackAndClearReferralSource(request, userId, headers);
 

apps/webapp/app/routes/magic.tsx

@@ -6,6 +6,7 @@ import { authenticator } from "~/services/auth.server";
 import { setLastAuthMethodHeader } from "~/services/lastAuthMethod.server";
 import { getRedirectTo } from "~/services/redirectTo.server";
 import { commitSession, getSession } from "~/services/sessionStorage.server";
+import { commitAuthenticatedSession } from "~/services/sessionDuration.server";
 import { trackAndClearReferralSource } from "~/services/referralSource.server";
 
 export async function loader({ request }: LoaderFunctionArgs) {
@@ -51,7 +52,7 @@ export async function loader({ request }: LoaderFunctionArgs) {
   session.set(authenticator.sessionKey, auth);
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, auth.userId));
   headers.append("Set-Cookie", await setLastAuthMethodHeader("email"));
 
   await trackAndClearReferralSource(request, auth.userId, headers);

apps/webapp/app/routes/resources.account.session-duration/SessionDurationSetting.tsx

@@ -0,0 +1,70 @@
+import { Form, useNavigation } from "@remix-run/react";
+import { Button } from "~/components/primitives/Buttons";
+import { InputGroup } from "~/components/primitives/InputGroup";
+import { Label } from "~/components/primitives/Label";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { Select, SelectItem } from "~/components/primitives/Select";
+import type { SessionDurationOption } from "~/services/sessionDuration.server";
+
+interface SessionDurationSettingProps {
+  currentValue: number;
+  options: SessionDurationOption[];
+  orgCapSeconds: number | null;
+}
+
+export function SessionDurationSetting({
+  currentValue,
+  options,
+  orgCapSeconds,
+}: SessionDurationSettingProps) {
+  const navigation = useNavigation();
+  const isSubmitting =
+    navigation.state !== "idle" &&
+    navigation.formAction === "/resources/account/session-duration";
+
+  const orgCapOption =
+    orgCapSeconds === null ? null : options.find((o) => o.value === orgCapSeconds);
+
+  return (
+    <Form method="post" action="/resources/account/session-duration" className="w-full">
+      <InputGroup className="mb-4">
+        <Label>Automatic logout</Label>
+        <Paragraph variant="small">
+          Automatically log out after this period of time. Choose a shorter duration for added
+          security on shared or unattended devices.
+          {orgCapSeconds !== null ? (
+            <>
+              {" "}
+              Your organization caps this at {orgCapOption?.label ?? `${orgCapSeconds} seconds`}.
+            </>
+          ) : null}
+        </Paragraph>
+      </InputGroup>
+      <div className="flex items-center gap-2">
+        <Select
+          name="sessionDuration"
+          variant="tertiary/medium"
+          defaultValue={String(currentValue)}
+          text={(value: string) =>
+            options.find((o) => String(o.value) === value)?.label ?? "Select a duration"
+          }
+          dropdownIcon
+        >
+          {options.map((option) => (
+            <SelectItem key={option.value} value={String(option.value)}>
+              {option.label}
+            </SelectItem>
+          ))}
+        </Select>
+        <Button
+          type="submit"
+          variant="primary/medium"
+          disabled={isSubmitting}
+          data-action="save session duration"
+        >
+          {isSubmitting ? "Saving…" : "Save"}
+        </Button>
+      </div>
+    </Form>
+  );
+}

apps/webapp/app/routes/resources.account.session-duration/route.tsx

@@ -0,0 +1,77 @@
+import { redirect, type ActionFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import {
+  commitSession as commitMessageSession,
+  getSession as getMessageSession,
+  setErrorMessage,
+  setSuccessMessage,
+} from "~/models/message.server";
+import { requireUserId } from "~/services/session.server";
+import {
+  commitAuthenticatedSession,
+  getAllowedSessionOptions,
+  getEffectiveSessionDuration,
+  isAllowedSessionDuration,
+} from "~/services/sessionDuration.server";
+import { getUserSession } from "~/services/sessionStorage.server";
+
+const FormSchema = z.object({
+  sessionDuration: z.coerce.number().int().positive(),
+});
+
+const REDIRECT_PATH = "/account/security";
+
+async function redirectWithError(request: Request, message: string) {
+  const messageSession = await getMessageSession(request.headers.get("cookie"));
+  setErrorMessage(messageSession, message);
+  return redirect(REDIRECT_PATH, {
+    headers: { "Set-Cookie": await commitMessageSession(messageSession) },
+  });
+}
+
+export async function action({ request }: ActionFunctionArgs) {
+  const userId = await requireUserId(request);
+
+  const formData = await request.formData();
+  const parsed = FormSchema.safeParse(Object.fromEntries(formData));
+
+  if (!parsed.success) {
+    return redirectWithError(request, "Invalid session duration value.");
+  }
+
+  const { sessionDuration } = parsed.data;
+
+  if (!isAllowedSessionDuration(sessionDuration)) {
+    return redirectWithError(request, "Invalid session duration value.");
+  }
+
+  const { orgCapSeconds, userSettingSeconds } = await getEffectiveSessionDuration(userId);
+  const allowed = getAllowedSessionOptions(orgCapSeconds, userSettingSeconds);
+  if (!allowed.some((o) => o.value === sessionDuration)) {
+    return redirectWithError(
+      request,
+      "Your organization's policy does not allow that session duration."
+    );
+  }
+
+  await prisma.user.update({
+    where: { id: userId },
+    data: { sessionDuration },
+  });
+
+  // Re-issue the cookie with the new maxAge and reset issuedAt so the user
+  // gets a fresh window matching their new selection right away.
+  const authSession = await getUserSession(request);
+  const authCookie = await commitAuthenticatedSession(authSession, userId);
+
+  const messageSession = await getMessageSession(request.headers.get("cookie"));
+  setSuccessMessage(messageSession, "Session duration updated.");
+  const messageCookie = await commitMessageSession(messageSession);
+
+  const headers = new Headers();
+  headers.append("Set-Cookie", authCookie);
+  headers.append("Set-Cookie", messageCookie);
+
+  return redirect(REDIRECT_PATH, { headers });
+}

apps/webapp/app/services/session.server.ts

@@ -2,6 +2,8 @@ import { redirect } from "@remix-run/node";
 import { getUserById } from "~/models/user.server";
 import { authenticator } from "./auth.server";
 import { getImpersonationId } from "./impersonation.server";
+import { getEffectiveSessionDuration, isSessionExpired } from "./sessionDuration.server";
+import { getUserSession } from "./sessionStorage.server";
 
 export async function getUserId(request: Request): Promise<string | undefined> {
   const impersonatedUserId = await getImpersonationId(request);
@@ -19,8 +21,19 @@ export async function getUserId(request: Request): Promise<string | undefined> {
     return authUser?.userId;
   }
 
-  let authUser = await authenticator.isAuthenticated(request);
-  return authUser?.userId;
+  const authUser = await authenticator.isAuthenticated(request);
+  if (!authUser?.userId) return undefined;
+
+  // Enforce the user's effective session duration (User.sessionDuration capped
+  // by the most restrictive Organization.maxSessionDuration). If the session
+  // was issued longer ago than the cap allows, force a logout.
+  const session = await getUserSession(request);
+  const { durationSeconds } = await getEffectiveSessionDuration(authUser.userId);
+  if (isSessionExpired(session, durationSeconds)) {
+    throw await logout(request);
+  }
+
+  return authUser.userId;
 }
 
 export async function getUser(request: Request) {