Fix SessionId Cookie MaxAge on Hybrid Auth Mode

mckaragoz · mckaragoz · commit 818b10cfe16c · 2026-01-12T22:04:24.000+03:00
diff --git a/src/CodeBeam.UltimateAuth.Server/Cookies/DefaultUAuthCookiePolicyBuilder.cs b/src/CodeBeam.UltimateAuth.Server/Cookies/DefaultUAuthCookiePolicyBuilder.cs
@@ -1,12 +1,14 @@
-﻿using CodeBeam.UltimateAuth.Server.Auth;
+﻿using CodeBeam.UltimateAuth.Core;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Server.Auth;
 using CodeBeam.UltimateAuth.Server.Options;
 using Microsoft.AspNetCore.Http;
 
 namespace CodeBeam.UltimateAuth.Server.Cookies;
 
 internal sealed class DefaultUAuthCookiePolicyBuilder : IUAuthCookiePolicyBuilder
 {
-    public CookieOptions Build(CredentialResponseOptions response, AuthFlowContext context, TimeSpan? logicalLifetime)
+    public CookieOptions Build(CredentialResponseOptions response, AuthFlowContext context, CredentialKind kind)
     {
         if (response.Cookie is null)
             throw new InvalidOperationException("Cookie policy requested but Cookie options are null.");
@@ -18,11 +20,11 @@ public CookieOptions Build(CredentialResponseOptions response, AuthFlowContext c
             HttpOnly = src.HttpOnly,
             Secure = src.SecurePolicy == CookieSecurePolicy.Always,
             Path = src.Path,
-            Domain = src.Domain
+            Domain = src.Domain,
+            SameSite = ResolveSameSite(src, context)
         };
 
-        options.SameSite = ResolveSameSite(src, context);
-        ApplyLifetime(options, src, logicalLifetime);
+        ApplyLifetime(options, src, context, kind);
 
         return options;
     }
@@ -41,30 +43,51 @@ private static SameSiteMode ResolveSameSite(UAuthCookieOptions cookie, AuthFlowC
         };
     }
 
-    private static void ApplyLifetime(CookieOptions target, UAuthCookieOptions src, TimeSpan? logicalLifetime)
+    private static void ApplyLifetime(CookieOptions target, UAuthCookieOptions src, AuthFlowContext context, CredentialKind kind)
     {
         var buffer = src.Lifetime.IdleBuffer ?? TimeSpan.Zero;
-        TimeSpan? baseLifetime = null;
+        var baseLifetime = ResolveBaseLifetime(context, kind, src);
 
-        // 1️⃣ Hard MaxAge override (base)
-        if (src.MaxAge is not null)
-        {
-            baseLifetime = src.MaxAge;
-        }
-        // 2️⃣ Absolute lifetime override (base)
-        else if (src.Lifetime.AbsoluteLifetimeOverride is not null)
+        if (baseLifetime is not null)
         {
-            baseLifetime = src.Lifetime.AbsoluteLifetimeOverride;
+            target.MaxAge = baseLifetime.Value + buffer;
         }
-        // 3️⃣ Logical lifetime (effective)
-        else if (logicalLifetime is not null)
+    }
+
+    private static TimeSpan? ResolveBaseLifetime(AuthFlowContext context, CredentialKind kind, UAuthCookieOptions src)
+    {
+        if (src.MaxAge is not null)
+            return src.MaxAge;
+
+        if (src.Lifetime.AbsoluteLifetimeOverride is not null)
+            return src.Lifetime.AbsoluteLifetimeOverride;
+
+        return kind switch
         {
-            baseLifetime = logicalLifetime;
-        }
+            CredentialKind.Session => ResolveSessionLifetime(context),
+            CredentialKind.RefreshToken => context.EffectiveOptions.Options.Tokens.RefreshTokenLifetime,
+            CredentialKind.AccessToken => context.EffectiveOptions.Options.Tokens.AccessTokenLifetime,
+            _ => null
+        };
+    }
 
-        if (baseLifetime is not null)
+    private static TimeSpan? ResolveSessionLifetime(AuthFlowContext context)
+    {
+        var sessionIdle = context.EffectiveOptions.Options.Session.IdleTimeout;
+        var refresh = context.EffectiveOptions.Options.Tokens.RefreshTokenLifetime;
+
+        return context.EffectiveMode switch
         {
-            target.MaxAge = baseLifetime.Value + buffer;
-        }
+            UAuthMode.PureOpaque => sessionIdle,
+            UAuthMode.Hybrid => Max(sessionIdle, refresh),
+            _ => sessionIdle
+        };
+    }
+
+    private static TimeSpan? Max(TimeSpan? a, TimeSpan? b)
+    {
+        if (a is null) return b;
+        if (b is null) return a;
+        return a > b ? a : b;
     }
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Cookies/IUAuthCookiePolicyBuilder.cs b/src/CodeBeam.UltimateAuth.Server/Cookies/IUAuthCookiePolicyBuilder.cs
@@ -2,10 +2,11 @@
 using CodeBeam.UltimateAuth.Server.Auth;
 using CodeBeam.UltimateAuth.Server.Options;
 using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Core.Domain;
 
 namespace CodeBeam.UltimateAuth.Server.Cookies;
 
 public interface IUAuthCookiePolicyBuilder
 {
-    CookieOptions Build(CredentialResponseOptions response, AuthFlowContext context, TimeSpan? logicalLifetime);
+    CookieOptions Build(CredentialResponseOptions response, AuthFlowContext context, CredentialKind kind);
 }
diff --git a/src/CodeBeam.UltimateAuth.Server/Infrastructure/DefaultCredentialResponseWriter.cs b/src/CodeBeam.UltimateAuth.Server/Infrastructure/DefaultCredentialResponseWriter.cs
@@ -58,9 +58,7 @@ private void WriteCookie(HttpContext context, CredentialKind kind, string value,
         if (options.Cookie is null)
             throw new InvalidOperationException($"Cookie options missing for credential '{kind}'.");
 
-        var logicalLifetime = ResolveLogicalLifetime(auth, kind);
-        var cookieOptions = _cookiePolicy.Build(options, auth, logicalLifetime);
-
+        var cookieOptions = _cookiePolicy.Build(options, auth, kind);
         _cookieManager.Write(context, options.Cookie.Name, value, cookieOptions);
     }
 
@@ -80,22 +78,4 @@ private static CredentialResponseOptions ResolveDelivery(EffectiveAuthResponse r
             CredentialKind.RefreshToken => response.RefreshTokenDelivery,
             _ => throw new ArgumentOutOfRangeException(nameof(kind))
         };
-
-    private static TimeSpan? ResolveLogicalLifetime(AuthFlowContext auth, CredentialKind kind)
-    {
-        // TODO: Move this method to policy on implementing
-        return kind switch
-        {
-            CredentialKind.Session
-                => auth.EffectiveOptions.Options.Session.IdleTimeout + auth.OriginalOptions.Cookie.Session.Lifetime.IdleBuffer,
-
-            CredentialKind.RefreshToken
-                => auth.EffectiveOptions.Options.Tokens.RefreshTokenLifetime + auth.OriginalOptions.Cookie.RefreshToken.Lifetime.IdleBuffer,
-
-            CredentialKind.AccessToken
-                => auth.EffectiveOptions.Options.Tokens.AccessTokenLifetime + auth.OriginalOptions.Cookie.AccessToken.Lifetime.IdleBuffer,
-
-            _ => null
-        };
-    }
 }

Original file line number	Diff line number	Diff line change
`@@ -2,10 +2,11 @@`
`2`	`2`	`using CodeBeam.UltimateAuth.Server.Auth;`
`3`	`3`	`using CodeBeam.UltimateAuth.Server.Options;`
`4`	`4`	`using CodeBeam.UltimateAuth.Core.Contracts;`
	`5`	`+using CodeBeam.UltimateAuth.Core.Domain;`
`5`	`6`
`6`	`7`	`namespace CodeBeam.UltimateAuth.Server.Cookies;`
`7`	`8`
`8`	`9`	`public interface IUAuthCookiePolicyBuilder`
`9`	`10`	`{`
`10`		`- CookieOptions Build(CredentialResponseOptions response, AuthFlowContext context, TimeSpan? logicalLifetime);`
	`11`	`+ CookieOptions Build(CredentialResponseOptions response, AuthFlowContext context, CredentialKind kind);`
`11`	`12`	`}`