From 5b34fae2e21287ebe2a03cf2cb5af9d50613f6bf Mon Sep 17 00:00:00 2001
From: kennethrioja <59597207+kennethrioja@users.noreply.github.com>
Date: Thu, 13 Nov 2025 16:54:57 +0100
Subject: [PATCH 1/2] feat(session_store): can logout session after n seconds

---
 config/initializers/session_store.rb    |  9 ++++++++-
 config/tess.example.yml                 |  1 +
 test/integration/session_expiry_test.rb | 21 +++++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 test/integration/session_expiry_test.rb

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index f02ff6de3..e54e933f2 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,3 +1,10 @@
 # Be sure to restart your server when you modify this file.
-opts = Rails.env.production? ? { same_site: :lax, secure: true } : {}
+opts = {}
+
+if Rails.env.production?
+  opts = { same_site: :lax, secure: true }
+  expiry_time = TeSS::Config.login_expires_after
+  opts[:expire_after] = expiry_time unless expiry_time.nil?
+end
+
 Rails.application.config.session_store :cookie_store, **opts
diff --git a/config/tess.example.yml b/config/tess.example.yml
index 103916215..1722cfd5f 100644
--- a/config/tess.example.yml
+++ b/config/tess.example.yml
@@ -13,6 +13,7 @@ default: &default
   announcement_message:
   prevent_robot_indexing: false
   require_cookie_consent: true
+  login_expires_after: # in seconds, sets the login session duration, after this, users must login again, leave blank to disable.
   blocked_domains:
     - !ruby/regexp '/bad-domain\.example/'
   blocked_countries: # Block registration from the following ISO 3166-1 alpha-2 codes
diff --git a/test/integration/session_expiry_test.rb b/test/integration/session_expiry_test.rb
new file mode 100644
index 000000000..3a7e3791a
--- /dev/null
+++ b/test/integration/session_expiry_test.rb
@@ -0,0 +1,21 @@
+require 'test_helper'
+
+class SessionExpiryTest < ActionDispatch::IntegrationTest
+  test 'sets expire_after in production' do
+    Rails.stub(:env, ActiveSupport::StringInquirer.new('production')) do
+      TeSS::Config.stub(:login_expires_after, 3600) do
+        load Rails.root.join('config/initializers/session_store.rb')
+        assert_equal 3600, Rails.application.config.session_options[:expire_after]
+      end
+    end
+  end
+
+  test 'does not set expire_after outside production' do
+    Rails.stub(:env, ActiveSupport::StringInquirer.new('test')) do
+      TeSS::Config.stub(:login_expires_after, 3600) do
+        load Rails.root.join('config/initializers/session_store.rb')
+        assert_nil Rails.application.config.session_options[:expire_after]
+      end
+    end
+  end
+end

From 70392c7dc5bc4d4bc078fb52c67ea07ee7bea295 Mon Sep 17 00:00:00 2001
From: kennethrioja <59597207+kennethrioja@users.noreply.github.com>
Date: Tue, 16 Dec 2025 16:48:27 +0100
Subject: [PATCH 2/2] review(#1194): removing test, unless blank instead of nil

---
 config/initializers/session_store.rb    |  2 +-
 test/integration/session_expiry_test.rb | 21 ---------------------
 2 files changed, 1 insertion(+), 22 deletions(-)
 delete mode 100644 test/integration/session_expiry_test.rb

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index e54e933f2..8f7289407 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -4,7 +4,7 @@
 if Rails.env.production?
   opts = { same_site: :lax, secure: true }
   expiry_time = TeSS::Config.login_expires_after
-  opts[:expire_after] = expiry_time unless expiry_time.nil?
+  opts[:expire_after] = expiry_time unless expiry_time.blank?
 end
 
 Rails.application.config.session_store :cookie_store, **opts
diff --git a/test/integration/session_expiry_test.rb b/test/integration/session_expiry_test.rb
deleted file mode 100644
index 3a7e3791a..000000000
--- a/test/integration/session_expiry_test.rb
+++ /dev/null
@@ -1,21 +0,0 @@
-require 'test_helper'
-
-class SessionExpiryTest < ActionDispatch::IntegrationTest
-  test 'sets expire_after in production' do
-    Rails.stub(:env, ActiveSupport::StringInquirer.new('production')) do
-      TeSS::Config.stub(:login_expires_after, 3600) do
-        load Rails.root.join('config/initializers/session_store.rb')
-        assert_equal 3600, Rails.application.config.session_options[:expire_after]
-      end
-    end
-  end
-
-  test 'does not set expire_after outside production' do
-    Rails.stub(:env, ActiveSupport::StringInquirer.new('test')) do
-      TeSS::Config.stub(:login_expires_after, 3600) do
-        load Rails.root.join('config/initializers/session_store.rb')
-        assert_nil Rails.application.config.session_options[:expire_after]
-      end
-    end
-  end
-end