From af461e11dd52b60cf99560e74d027299976948af Mon Sep 17 00:00:00 2001
From: Rolf Schmidt <rolf.schmidt@zammad.com>
Date: Mon, 26 Apr 2021 13:17:44 +0100
Subject: [PATCH] Fixes #3524 - Default session timeouts to 4 weeks.

---
 .../app/controllers/_plugin/session_timeout.coffee | 13 ++++++++-----
 ...210426000002_update_session_timeout_defaults.rb | 14 ++++++++++++++
 db/seeds/settings.rb                               |  8 ++++----
 spec/system/dashboard_spec.rb                      | 12 ++++++------
 4 files changed, 32 insertions(+), 15 deletions(-)
 create mode 100644 db/migrate/20210426000002_update_session_timeout_defaults.rb

diff --git a/app/assets/javascripts/app/controllers/_plugin/session_timeout.coffee b/app/assets/javascripts/app/controllers/_plugin/session_timeout.coffee
index a78c1a24a..adce4081e 100644
--- a/app/assets/javascripts/app/controllers/_plugin/session_timeout.coffee
+++ b/app/assets/javascripts/app/controllers/_plugin/session_timeout.coffee
@@ -1,22 +1,25 @@
 class SessionTimeout extends App.Controller
+  lastEvent  = 0
+
   constructor: ->
     super
 
-    lastEvent = 0
+    lastEvent = new Date().getTime()
     check_timeout = =>
       return if new Date().getTime() - 1000 < lastEvent
       lastEvent = new Date().getTime()
-      @setDelay()
+      @checkLogout()
 
     $(document).off('keyup.session_timeout').on('keyup.session_timeout', check_timeout)
     $(document).off('mousemove.session_timeout').on('mousemove.session_timeout', check_timeout)
     @controllerBind('config_update', check_timeout)
     @controllerBind('session_timeout', @quitApp)
-    @setDelay()
+    @interval(@checkLogout, 5000, 'session_timeout')
 
-  setDelay: =>
+  checkLogout: =>
     return if App.Session.get() is undefined
-    @delay(@quitApp, @getTimeout(), 'session_timeout')
+    return if lastEvent + @getTimeout() > new Date().getTime()
+    @quitApp()
 
   quitApp: =>
     return if App.Session.get() is undefined
diff --git a/db/migrate/20210426000002_update_session_timeout_defaults.rb b/db/migrate/20210426000002_update_session_timeout_defaults.rb
new file mode 100644
index 000000000..b0046e328
--- /dev/null
+++ b/db/migrate/20210426000002_update_session_timeout_defaults.rb
@@ -0,0 +1,14 @@
+class UpdateSessionTimeoutDefaults < ActiveRecord::Migration[5.2]
+  def change
+    return if !Setting.exists?(name: 'system_init_done')
+
+    defaults = Setting.get('session_timeout')
+    %w[default admin ticket.agent ticket.customer].each do |key|
+      next if defaults[key].to_i != 172_800
+
+      defaults[key] = 4.weeks.seconds
+    end
+
+    Setting.set('session_timeout', defaults)
+  end
+end
diff --git a/db/seeds/settings.rb b/db/seeds/settings.rb
index f253af59b..c3d26f774 100644
--- a/db/seeds/settings.rb
+++ b/db/seeds/settings.rb
@@ -1078,10 +1078,10 @@ Setting.create_if_not_exists(
     prio: 30,
   },
   state:       {
-    'default'         => 2.days.seconds,
-    'admin'           => 2.days.seconds,
-    'ticket.agent'    => 2.days.seconds,
-    'ticket.customer' => 2.days.seconds,
+    'default'         => 4.weeks.seconds,
+    'admin'           => 4.weeks.seconds,
+    'ticket.agent'    => 4.weeks.seconds,
+    'ticket.customer' => 4.weeks.seconds,
   },
   frontend:    true
 )
diff --git a/spec/system/dashboard_spec.rb b/spec/system/dashboard_spec.rb
index 0a5db6426..fc1174179 100644
--- a/spec/system/dashboard_spec.rb
+++ b/spec/system/dashboard_spec.rb
@@ -49,7 +49,7 @@ RSpec.describe 'Dashboard', type: :system, authenticated_as: true do
       end
 
       it 'does logout user' do
-        expect(page).to have_text('Sign in', wait: 15)
+        expect(page).to have_text('Sign in', wait: 20)
       end
 
       it 'does not logout user', authenticated_as: :admin do
@@ -62,7 +62,7 @@ RSpec.describe 'Dashboard', type: :system, authenticated_as: true do
       it 'does logout user' do
         expect(page).to have_no_text('Sign in')
         Setting.set('session_timeout', { default: '1' })
-        expect(page).to have_text('Sign in', wait: 15)
+        expect(page).to have_text('Sign in', wait: 20)
       end
     end
 
@@ -73,7 +73,7 @@ RSpec.describe 'Dashboard', type: :system, authenticated_as: true do
       end
 
       it 'does logout user' do
-        expect(page).to have_text('Sign in', wait: 15)
+        expect(page).to have_text('Sign in', wait: 20)
       end
     end
 
@@ -84,7 +84,7 @@ RSpec.describe 'Dashboard', type: :system, authenticated_as: true do
       end
 
       it 'does logout user' do
-        expect(page).to have_text('Sign in', wait: 15)
+        expect(page).to have_text('Sign in', wait: 20)
       end
     end
 
@@ -95,7 +95,7 @@ RSpec.describe 'Dashboard', type: :system, authenticated_as: true do
       end
 
       it 'does logout user' do
-        expect(page).to have_text('Sign in', wait: 15)
+        expect(page).to have_text('Sign in', wait: 20)
       end
     end
 
@@ -109,7 +109,7 @@ RSpec.describe 'Dashboard', type: :system, authenticated_as: true do
         # backend tests for the rest
         session = ActiveRecord::SessionStore::Session.all.detect { |s| s.data['user_id'] == admin.id }
         SessionTimeoutJob.destroy_session(admin, session)
-        expect(page).to have_text('Sign in', wait: 15)
+        expect(page).to have_text('Sign in', wait: 20)
       end
     end
   end