Wikia · mmeller-wikia · Jan 19, 2022 · Dec 29, 2021 · Dec 29, 2021 · Dec 29, 2021
diff --git a/driver/config/config.go b/driver/config/config.go
@@ -95,6 +95,8 @@ const (
 	ViperKeySessionPath                                      = "session.cookie.path"
 	ViperKeySessionPersistentCookie                          = "session.cookie.persistent"
 	ViperKeySessionWhoAmIAAL                                 = "session.whoami.required_aal"
+	ViperKeySessionWhoAmIRefresh                             = "session.whoami.refresh"
+	ViperKeySessionRefreshTimeWindow                         = "session.refresh_time_window"
 	ViperKeyCookieSameSite                                   = "cookies.same_site"
 	ViperKeyCookieDomain                                     = "cookies.domain"
 	ViperKeyCookiePath                                       = "cookies.path"
@@ -1029,6 +1031,14 @@ func (p *Config) SessionWhoAmIAAL() string {
 	return p.p.String(ViperKeySessionWhoAmIAAL)
 }
 
+func (p *Config) SessionWhoAmIRefresh() bool {
+	return p.p.Bool(ViperKeySessionWhoAmIRefresh)
+}
+
+func (p *Config) SessionRefreshTimeWindow() time.Duration {
+	return p.p.DurationF(ViperKeySessionRefreshTimeWindow, p.SessionLifespan())
+}
+
 func (p *Config) SelfServiceSettingsRequiredAAL() string {
 	return p.p.String(ViperKeySelfServiceSettingsRequiredAAL)
 }

diff --git a/embedx/config.schema.json b/embedx/config.schema.json
@@ -2115,6 +2115,12 @@
           "properties": {
             "required_aal": {
               "$ref": "#/definitions/featureRequiredAal"
+            },
+            "refresh": {
+              "title": "Allow session refresh from whoami endpoint",
+              "description": "If set to true will will allow to refresh session lifespan if ?refresh=true is present",
+              "type": "boolean",
+              "default": false
             }
           },
           "additionalProperties": false
@@ -2168,6 +2174,18 @@
             }
           },
           "additionalProperties": false
+        },
+        "refresh_time_window": {
+          "title": "Session refresh time window",
+          "description": "Time window when session can be refreshed to avoid excess refreshes. It is calculated as duration from the session expiration time.",
+          "type": "string",
+          "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
+          "default": "24h",
+          "examples": [
+            "1h",
+            "1m",
+            "1s"
+          ]
         }
       }
     },

diff --git a/internal/testhelpers/handler_mock.go b/internal/testhelpers/handler_mock.go
@@ -92,7 +92,8 @@ func NewNoRedirectClientWithCookies(t *testing.T) *http.Client {
 	}
 }
 
-func MockHydrateCookieClient(t *testing.T, c *http.Client, u string) {
+func MockHydrateCookieClient(t *testing.T, c *http.Client, u string) *http.Cookie {
+	var sessionCookie *http.Cookie
 	res, err := c.Get(u)
 	require.NoError(t, err)
 	defer res.Body.Close()
@@ -102,9 +103,11 @@ func MockHydrateCookieClient(t *testing.T, c *http.Client, u string) {
 	for _, c := range res.Cookies() {
 		if c.Name == config.DefaultSessionCookieName {
 			found = true
+			sessionCookie = c
 		}
 	}
 	require.True(t, found)
+	return sessionCookie
 }
 
 func MockSessionCreateHandlerWithIdentity(t *testing.T, reg mockDeps, i *identity.Identity) (httprouter.Handle, *session.Session) {

diff --git a/session/handler.go b/session/handler.go
@@ -1,6 +1,7 @@
 package session
 
 import (
+	"fmt"
 	"net/http"
 	"time"
 
@@ -48,6 +49,8 @@ func NewHandler(
 const (
 	RouteCollection         = "/sessions"
 	RouteWhoami             = RouteCollection + "/whoami"
+	RouteSessionRefresh     = RouteCollection + "/refresh"
+	RouteSessionRefreshId   = RouteSessionRefresh + "/:id"
 	RouteIdentity           = "/identities"
 	RouteIdentityManagement = RouteIdentity + "/:id/sessions"
 	RouteIdentitySession    = RouteIdentity + "/:id/session"
@@ -60,6 +63,8 @@ func (h *Handler) RegisterAdminRoutes(admin *x.RouterAdmin) {
 		admin.Handle(m, RouteWhoami, x.RedirectToPublicRoute(h.r))
 	}
 	admin.DELETE(RouteIdentityManagement, h.deleteIdentitySessions)
+	admin.PATCH(RouteSessionRefresh, h.adminCurrentSessionRefresh)
+	admin.PATCH(RouteSessionRefreshId, h.adminSessionRefresh)
 	admin.GET(RouteIdentitySession, h.session)
 }
 
@@ -104,6 +109,12 @@ type toSession struct {
 // Returns a session object in the body or 401 if the credentials are invalid or no credentials were sent.
 // Additionally when the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header in the response.
 //
+// It is also possible to refresh the session lifespan of a current session by adding a `refresh=true` param to the request url.
+// By default session refresh on this endpoint is disabled.
+// Session refresh can be enabled only after setting `session.whoami.refresh` to true in the config.
+// After enabling this option any refresh request will set the session life equal to `session.lifespan`.
+// If you want to refresh the session only some time before session expiration you can set a proper value for `session.refresh_time_window`
+//
 // If you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint:
 //
 //	```js
@@ -135,6 +146,7 @@ type toSession struct {
 // - AJAX calls. Remember to send credentials and set up CORS correctly!
 // - Reverse proxies and API Gateways
 // - Server-side calls - use the `X-Session-Token` header!
+// - Session refresh
 //
 // This endpoint authenticates users by checking
 //
@@ -159,7 +171,7 @@ type toSession struct {
 //       401: jsonError
 //       403: jsonError
 //       500: jsonError
-func (h *Handler) whoami(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+func (h *Handler) whoami(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	s, err := h.r.SessionManager().FetchFromRequest(r.Context(), r)
 	if err != nil {
 		h.r.Audit().WithRequest(r).WithError(err).Info("No valid session cookie found.")
@@ -168,7 +180,8 @@ func (h *Handler) whoami(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	}
 
 	var aalErr *ErrAALNotSatisfied
-	if err := h.r.SessionManager().DoesSessionSatisfy(r, s, h.r.Config(r.Context()).SessionWhoAmIAAL()); errors.As(err, &aalErr) {
+	c := h.r.Config(r.Context())
+	if err := h.r.SessionManager().DoesSessionSatisfy(r, s, c.SessionWhoAmIAAL()); errors.As(err, &aalErr) {
 		h.r.Audit().WithRequest(r).WithError(err).Info("Session was found but AAL is not satisfied for calling this endpoint.")
 		h.r.Writer().WriteError(w, r, err)
 		return
@@ -178,6 +191,17 @@ func (h *Handler) whoami(w http.ResponseWriter, r *http.Request, ps httprouter.P
 		return
 	}
 
+	// Refresh session if param was true
+	refresh := r.URL.Query().Get("refresh")
+	if c.SessionWhoAmIRefresh() && refresh == "true" && s.CanBeRefreshed(c) {
+		s = s.Refresh(c)
+		if err := h.r.SessionPersister().UpsertSession(r.Context(), s); err != nil {
+			h.r.Writer().WriteError(w, r, err)
+			return
+		}
+		h.r.SessionManager().IssueCookie(r.Context(), w, r, s)
+	}
+
 	// s.Devices = nil
 	s.Identity = s.Identity.CopyWithoutCredentials()
 
@@ -314,6 +338,93 @@ func (h *Handler) session(w http.ResponseWriter, r *http.Request, ps httprouter.
 	h.r.Writer().Write(w, r, &AdminIdentitySessionResponse{Session: s, Token: s.Token, Identity: i})
 }
 
+// swagger:parameters adminSessionRefresh
+// nolint:deadcode,unused
+type adminSessionRefresh struct {
+	// ID is the session's ID.
+	//
+	// required: true
+	// in: path
+	ID string `json:"id"`
+}
+
+// swagger:route PATCH /sessions/refresh/{id} v0alpha2 adminSessionRefresh
+//
+// Calling this endpoint refreshes a given session.
+// If `session.refresh_time_window` is set it will only refresh the session after this time has passed.
+//
+// This endpoint is useful for:
+//
+// - Session refresh
+//
+//     Schemes: http, https
+//
+//     Security:
+//       oryAccessToken:
+//
+//     Responses:
+//       200: session
+//       404: jsonError
+//       500: jsonError
+func (h *Handler) adminSessionRefresh(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+	iID, err := uuid.FromString(ps.ByName("id"))
+	if err != nil {
+		h.r.Writer().WriteError(w, r, herodot.ErrBadRequest.WithError(err.Error()).WithDebug("could not parse UUID"))
+		return
+	}
+	s, err := h.r.SessionPersister().GetSession(r.Context(), iID)
+	if err != nil {
+		h.r.Writer().WriteError(w, r, err)
+		return
+	}
+	c := h.r.Config(r.Context())
+	if s.CanBeRefreshed(c) {
+		if err := h.r.SessionPersister().UpsertSession(r.Context(), s.Refresh(c)); err != nil {
+			h.r.Writer().WriteError(w, r, err)
+			return
+		}
+	}
+
+	h.r.Writer().Write(w, r, s)
+}
+
+// swagger:route GET /sessions/refresh v0alpha2 adminIdentitySession
+//
+// Calling this endpoint refreshes a given session.
+// If `session.refresh_time_window` is set it will only refresh the session after this time has passed.
+//
+// This endpoint is useful for:
+//
+// - Session refresh
+//
+//     Schemes: http, https
+//
+//     Security:
+//       oryAccessToken:
+//
+//     Responses:
+//       200: successfulAdminIdentitySession
+//       404: jsonError
+//       500: jsonError
+func (h *Handler) adminCurrentSessionRefresh(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+	s, err := h.r.SessionManager().FetchFromRequest(r.Context(), r)
+	fmt.Printf("\n %+v \n", r.Cookies())
+	if err != nil {
+		h.r.Audit().WithRequest(r).WithError(err).Info("No valid session cookie found.")
+		h.r.Writer().WriteError(w, r, herodot.ErrUnauthorized.WithWrap(err).WithReasonf("No valid session cookie found."))
+		return
+	}
+	c := h.r.Config(r.Context())
+	if s.CanBeRefreshed(c) {
+		if err := h.r.SessionPersister().UpsertSession(r.Context(), s.Refresh(c)); err != nil {
+			h.r.Writer().WriteError(w, r, err)
+			return
+		}
+	}
+
+	h.r.Writer().Write(w, r, s)
+}
+
 // fandom-end
 
 func (h *Handler) IsAuthenticated(wrap httprouter.Handle, onUnauthenticated httprouter.Handle) httprouter.Handle {