From 57c154a72cc6dbc997c07b159e76a1ddd5cc02ee Mon Sep 17 00:00:00 2001
From: moson-mo <mo-son@mailbox.org>
Date: Thu, 25 May 2023 14:07:27 +0200
Subject: [PATCH] fix: increase expiry for AURLANG cookie; only set when needed

We add a new config option for cookies with a 400 day lifetime.
AURLANG should survive longer for unauthenticated users.
Today they have to set this again after each browser restart.
(for users whose browsers wipe session cookies on close)

authenticated users don't need this cookie
since the setting is saved to the DB

Signed-off-by: moson-mo <mo-son@mailbox.org>
---
 aurweb/routers/html.py | 29 +++++++++++++++++++----------
 conf/config.defaults   |  4 ++++
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/aurweb/routers/html.py b/aurweb/routers/html.py
index 33aeb904..38303837 100644
--- a/aurweb/routers/html.py
+++ b/aurweb/routers/html.py
@@ -56,19 +56,28 @@ async def language(
 
     query_string = "?" + q if q else str()
 
-    # If the user is authenticated, update the user's LangPreference.
-    if request.user.is_authenticated():
-        with db.begin():
-            request.user.LangPreference = set_lang
-
-    # In any case, set the response's AURLANG cookie that never expires.
     response = RedirectResponse(
         url=f"{next}{query_string}", status_code=HTTPStatus.SEE_OTHER
     )
-    secure = aurweb.config.getboolean("options", "disable_http_login")
-    response.set_cookie(
-        "AURLANG", set_lang, secure=secure, httponly=secure, samesite=cookies.samesite()
-    )
+
+    # If the user is authenticated, update the user's LangPreference.
+    # Otherwise set an AURLANG cookie
+    if request.user.is_authenticated():
+        with db.begin():
+            request.user.LangPreference = set_lang
+    else:
+        secure = aurweb.config.getboolean("options", "disable_http_login")
+        perma_timeout = aurweb.config.getint("options", "permanent_cookie_timeout")
+
+        response.set_cookie(
+            "AURLANG",
+            set_lang,
+            secure=secure,
+            httponly=secure,
+            max_age=perma_timeout,
+            samesite=cookies.samesite(),
+        )
+
     return response
 
 
diff --git a/conf/config.defaults b/conf/config.defaults
index bb390d8a..17e81b7b 100644
--- a/conf/config.defaults
+++ b/conf/config.defaults
@@ -14,8 +14,12 @@ passwd_min_len = 8
 default_lang = en
 default_timezone = UTC
 sql_debug = 0
+; 2 hours - default login_timeout
 login_timeout = 7200
+; 30 days - default persistent_cookie_timeout
 persistent_cookie_timeout = 2592000
+; 400 days - default permanent_cookie_timeout
+permanent_cookie_timeout = 34560000
 max_filesize_uncompressed = 8388608
 disable_http_login = 1
 aur_location = https://aur.archlinux.org