From fab6a8f8c95ed77871d14b9e7d68ca9ab2a199df Mon Sep 17 00:00:00 2001
From: Jens L <jens.langhammer@beryju.org>
Date: Mon, 13 Mar 2023 15:31:06 +0100
Subject: [PATCH] stages/user_login: expiry before login (#4920)

* stages/user_write: run set_expiry before login, so that session used in Signal has correct expiry

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/stages/user_login/stage.py | 10 +++++-----
 authentik/stages/user_login/tests.py |  9 +++++++++
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/authentik/stages/user_login/stage.py b/authentik/stages/user_login/stage.py
index 6536fa6f2..d08ef07f2 100644
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@@ -32,16 +32,16 @@ class UserLoginStageView(StageView):
         user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
         if not user.is_active:
             self.logger.warning("User is not active, login will not work.")
-        login(
-            self.request,
-            user,
-            backend=backend,
-        )
         delta = timedelta_from_string(self.executor.current_stage.session_duration)
         if delta.total_seconds() == 0:
             self.request.session.set_expiry(0)
         else:
             self.request.session.set_expiry(delta)
+        login(
+            self.request,
+            user,
+            backend=backend,
+        )
         self.logger.debug(
             "Logged in",
             backend=backend,
diff --git a/authentik/stages/user_login/tests.py b/authentik/stages/user_login/tests.py
index c84fda793..6d0e39495 100644
--- a/authentik/stages/user_login/tests.py
+++ b/authentik/stages/user_login/tests.py
@@ -5,6 +5,7 @@ from unittest.mock import patch
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.urls import reverse
+from django.utils.timezone import now
 
 from authentik.core.models import AuthenticatedSession
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
@@ -16,6 +17,7 @@ from authentik.flows.tests.test_executor import TO_STAGE_RESPONSE_MOCK
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.http import DEFAULT_IP
+from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.user_login.models import UserLoginStage
 
 
@@ -103,6 +105,13 @@ class TestUserLoginStage(FlowTestCase):
         self.assertEqual(response.status_code, 200)
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
         self.assertNotEqual(list(self.client.session.keys()), [])
+        session_key = self.client.session.session_key
+        session = AuthenticatedSession.objects.filter(session_key=session_key).first()
+        self.assertAlmostEqual(
+            session.expires.timestamp() - now().timestamp(),
+            timedelta_from_string(self.stage.session_duration).total_seconds(),
+            delta=1,
+        )
         sleep(3)
         self.client.session.clear_expired()
         self.assertEqual(list(self.client.session.keys()), [])