From 16875ae5752cfa2672895d5520e99f67e9823fe8 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Tue, 3 Dec 2024 17:35:17 -0300 Subject: [PATCH 1/2] fix: Take TTL into account when renewing sessions --- .../src/services/websession/websession.ts | 27 +++++++++++++++---- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/web/packages/teleport/src/services/websession/websession.ts b/web/packages/teleport/src/services/websession/websession.ts index 35f3763fdddfd..11126b0673b9d 100644 --- a/web/packages/teleport/src/services/websession/websession.ts +++ b/web/packages/teleport/src/services/websession/websession.ts @@ -26,9 +26,8 @@ import { KeysEnum, storageService } from 'teleport/services/storageService'; import makeBearerToken from './makeBearerToken'; import { RenewSessionRequest } from './types'; -// Time to determine when to renew session which is -// when expiry time of token is less than 3 minutes. -const RENEW_TOKEN_TIME = 180 * 1000; +const MAX_RENEW_TOKEN_TIME = 180000; // 3m +const MIN_RENEW_TOKEN_TIME = 30000; // 30s const TOKEN_CHECKER_INTERVAL = 15 * 1000; // every 15 sec const logger = Logger.create('services/session'); @@ -146,11 +145,14 @@ const session = { return false; } - // Renew session if token expiry time is less than 3 minutes. + // Renew session if token expiry time is less than renewTime (with a floor + // of 30s and a ceiling of 3m). // Browsers have js timer throttling behavior in inactive tabs that can go // up to 100s between timer calls from testing. 3 minutes seems to be a safe number // with extra padding. - return this._timeLeft() < RENEW_TOKEN_TIME; + let renewTime = Math.min(this._ttl() / 10, MAX_RENEW_TOKEN_TIME); + renewTime = Math.max(renewTime, MIN_RENEW_TOKEN_TIME); + return this._timeLeft() < renewTime; }, _renewToken(req: RenewSessionRequest = {}, signal?: AbortSignal) { @@ -214,6 +216,21 @@ const session = { return delta; }, + _ttl() { + const token = this._getBearerToken(); + if (!token) { + return 0; + } + + let { expiresIn, created } = token; + if (!created || !expiresIn) { + return 0; + } + + expiresIn = expiresIn * 1000; + return expiresIn; + }, + _shouldCheckStatus() { if (this._getIsRenewing()) { return false; From 6df2f7b7b3ba9fd6b5d771339966693cb234f92b Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Wed, 4 Dec 2024 10:36:03 -0300 Subject: [PATCH 2/2] Update comments --- web/packages/teleport/src/services/websession/websession.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/packages/teleport/src/services/websession/websession.ts b/web/packages/teleport/src/services/websession/websession.ts index 11126b0673b9d..a9371db9e060d 100644 --- a/web/packages/teleport/src/services/websession/websession.ts +++ b/web/packages/teleport/src/services/websession/websession.ts @@ -145,8 +145,8 @@ const session = { return false; } - // Renew session if token expiry time is less than renewTime (with a floor - // of 30s and a ceiling of 3m). + // Renew session if token expiry time is less than renewTime (with MIN_ and + // MAX_RENEW_TOKEN_TIME as floor and ceiling, respectively). // Browsers have js timer throttling behavior in inactive tabs that can go // up to 100s between timer calls from testing. 3 minutes seems to be a safe number // with extra padding.