Ensure oauth secure cookie expires

If login isn't completed in 10 minutes, expire the cookie and require a
start-over.

Author: mhagander

pgweb/account/oauthclient.py

@@ -10,6 +10,7 @@
 import json
 import os
 import sys
+import time
 import urllib.parse
 from Cryptodome import Random
 from Cryptodome.Cipher import AES
@@ -38,6 +39,7 @@ def configure():
 
 
 def set_encrypted_oauth_cookie_on(response, cookiecontent, path=None):
+    cookiecontent['_ts'] = time.time()
     cookiedata = json.dumps(cookiecontent)
     r = Random.new()
     nonce = r.read(16)
@@ -73,7 +75,13 @@ def get_encrypted_oauth_cookie(request):
         base64.urlsafe_b64decode(parts['t'][0]),
     )
 
-    return json.loads(s)
+    d = json.loads(s)
+    if time.time() - d['_ts'] > 10 * 60:
+        # 10 minutes to complete oauth login
+        raise OAuthException("Cookie expired")
+    del d['_ts']
+
+    return d
 
 
 def delete_encrypted_oauth_cookie_on(response):