From 01f0fee81123007805ca4e37e564035617f253a1 Mon Sep 17 00:00:00 2001
From: Niels Vandekeybus <progster@gmail.com>
Date: Mon, 26 Aug 2024 11:50:40 +0200
Subject: [PATCH] allow setting cookie max age

In some settings 'session cookies' are not preferred, since they can be very
long lived. This allows set the cookie max age to auto expire cookies
---
 README.md         | 1 +
 config/config.exs | 1 +
 lib/proxy.ex      | 9 ++++++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4336019..b6c82c3 100644
--- a/README.md
+++ b/README.md
@@ -170,6 +170,7 @@ All settings are configured through environment variables.
 * `SESSION_COOKIE_SECURE`: Set SECURE flag of the session cookie (see [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie))
 * `SESSION_COOKIE_HTTP_ONLY`: Set HTTP_ONLY flag of the session cookie (see [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie)), on by default.
 * `SESSION_COOKIE_SAME_SITE`: Set SAME_SITE flag of the session cookie (see [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie)), "Lax" by default unless `DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER` is "*" then "None" by default.  This means the cookie is available only on your site unless you've also set the CORS header.
+* `SESSION_COOKIE_MAX_AGE`: Set the number of seconds until the cookie expires. By default this is not set and the cookie is a [session cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#expiresdate).
 * `IDLE_TIMEOUT`: the amount of time (in ms) that idle requests will be kept open (see [`idle_timeout` in the Cowboy docs](https://ninenines.eu/docs/en/cowboy/2.5/manual/cowboy_http/))
 * `OVERRIDE_VARY_HEADER`: EXPERIMENTAL When set, the [`Vary` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Vary) is overriden with the specified variable, regardless of what the backend provides.
 
diff --git a/config/config.exs b/config/config.exs
index 93e1d13..eab1a9a 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -49,6 +49,7 @@ config :mu_identifier,
   default_access_control_allow_origin_header:
     System.get_env("DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER"),
   default_mu_auth_allowed_groups_header: System.get_env("DEFAULT_MU_AUTH_ALLOWED_GROUPS_HEADER"),
+  session_cookie_max_age:  System.get_env("SESSION_COOKIE_MAX_AGE")
   session_cookie_secure: CH.system_boolean("SESSION_COOKIE_SECURE", false),
   session_cookie_http_only: CH.system_boolean("SESSION_COOKIE_HTTP_ONLY", true),
   session_cookie_same_site: CH.calculate_same_site(),
diff --git a/lib/proxy.ex b/lib/proxy.ex
index 27f7581..ef4ee52 100644
--- a/lib/proxy.ex
+++ b/lib/proxy.ex
@@ -63,11 +63,18 @@ defmodule Proxy do
   end
 
   def opts_from_environment do
-    [
+    base_opts = [
       secure: Application.get_env(:mu_identifier, :session_cookie_secure),
       http_only: Application.get_env(:mu_identifier, :session_cookie_http_only),
       same_site: Application.get_env(:mu_identifier, :session_cookie_same_site)
     ]
+
+    max_age = Application.get_env(:mu_identifier, :session_cookie_max_age)
+
+    case max_age do
+      nil -> base_opts
+      age -> base_opts ++ [max_age: String.to_integer(age)]
+    end
   end
 
 end