fix: refresh auth freshness during active sessions

2026-04-01 17:48:04 +02:00
parent 6254a059b4
commit 5fab01d57a
2 changed files with 23 additions and 1 deletions
--- a/backend/workflows/middleware.py
+++ b/backend/workflows/middleware.py
@@ -154,7 +154,10 @@ class AuthSessionHardeningMiddleware:

    def _touch_session(self, request, now_ts: int) -> None:
        request.session['last_activity_ts'] = now_ts
-        request.session.setdefault('auth_fresh_ts', now_ts)
+        if request.method in {'GET', 'HEAD'}:
+            request.session['auth_fresh_ts'] = now_ts
+        else:
+            request.session.setdefault('auth_fresh_ts', now_ts)

    def _warn(self, request, message: str) -> None:
        try:
--- a/backend/workflows/tests/test_security_hardening.py
+++ b/backend/workflows/tests/test_security_hardening.py
@@ -94,3 +94,22 @@ class AuthSessionHardeningTests(TestCase):
        response = client.post('/admin-tools/branding/save/', {'portal_title': 'Blocked'}, HTTP_HOST='localhost')
        self.assertEqual(response.status_code, 302)
        self.assertIn('/accounts/login/', response['Location'])
+
+    @override_settings(SENSITIVE_ACTION_REAUTH_SECONDS=60)
+    def test_recent_get_refreshes_fresh_auth_for_sensitive_post(self):
+        client = Client(REMOTE_ADDR='10.10.10.61')
+        client.force_login(self.user)
+        session = client.session
+        session['last_activity_ts'] = 9999999999
+        session['auth_fresh_ts'] = 1
+        session.save()
+
+        home_response = client.get('/', HTTP_HOST='localhost')
+        self.assertEqual(home_response.status_code, 200)
+
+        session = client.session
+        self.assertGreater(session['auth_fresh_ts'], 1)
+
+        response = client.post('/admin-tools/branding/save/', {'portal_title': 'Blocked'}, HTTP_HOST='localhost')
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response['Location'], '/')