ronald/timebank-cc-public
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Ronald Huynen
2026-03-23 21:37:59 +01:00
commit 2547717edb
2193 changed files with 972171 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

539
REMEMBER_ME_REMOVAL_2026-01-12.md Normal file
View File

@@ -0,0 +1,539 @@
# Remember Me Feature Removal - Implementation Summary
**Date:** 2026-01-12
**Task:** Remove Remember Me feature and implement profile_timeouts priority
**Status:** ✅ **COMPLETE**
---
## Overview
Successfully removed the Remember Me functionality from the application and implemented profile-based session timeouts that override the SESSION_LIFETIME environment variable. This provides better security with granular control over session expiration for different profile types.
---
## Changes Made
### 1. Removed Remember Me Checkbox from Login Views ✅
**Files Modified:**
#### `/resources/views/auth/login.blade.php` (lines 87-94)
**Before:**
```blade
<div class="block mt-4">
<label for="remember_me" class="flex items-center">
<x-jetstream.checkbox id="remember_me" name="remember" />
<span class="ml-2 text-sm text-theme-primary">
{{ __('Remember me for :period', ['period' => daysToHumanReadable(timebank_config('auth.remember_me_days', 90))]) }}
</span>
</label>
</div>
<div class="flex items-center justify-end mt-4 mb-8">
```
**After:**
```blade
<div class="flex items-center justify-end mt-8 mb-8">
```
#### `/resources/views/livewire/login.blade.php` (line 42)
**Before:**
```blade
<form class="mt-8" wire:submit="login">
<input type="hidden" name="remember" value="true">
<div class="rounded-md shadow-sm">
```
**After:**
```blade
<form class="mt-8" wire:submit="login">
<div class="rounded-md shadow-sm">
```
#### `/resources/views/livewire/registration.blade.php` (line 83)
**Before:**
```blade
<form wire:submit="create">
<input name="remember" type="hidden" value="true">
@csrf
```
**After:**
```blade
<form wire:submit="create">
@csrf
```
---
### 2. Removed remember_me_days from All Config Files ✅
**Files Modified:**
1. `config/timebank_cc.php` - Removed `'remember_me_days' => 90,` from auth section
2. `config/timebank_cc.php.example` - Removed from auth section
3. `config/timebank-default.php` - Removed from auth section
4. `config/timebank-default.php.example` - Removed from auth section
**Before:**
```php
'auth' => [
'remember_me_days' => 90, // Number of days the "Remember me" checkbox will keep users logged in
'minimum_registration_age' => 18,
],
```
**After:**
```php
'auth' => [
'minimum_registration_age' => 18, // Minimum age for registration (GDPR Article 8 compliance)
],
```
---
### 3. Created ProfileSessionTimeout Middleware ✅
**New File:** `app/Http/Middleware/ProfileSessionTimeout.php`
**Purpose:** Enforces profile-specific session timeouts that override SESSION_LIFETIME from .env
**Key Features:**
- Tracks last activity timestamp in session
- Calculates idle time and compares against profile-specific timeout
- Automatically logs out users when timeout is exceeded
- Uses profile_timeouts from platform config
- Falls back to profile_timeout_default if profile type not configured
- Logs timeout events for debugging
**Implementation Highlights:**
```php
// Get profile-specific timeout
$timeoutMinutes = $this->getProfileTimeout($activeProfileType);
// Calculate idle time
$idleMinutes = (now()->timestamp - $lastActivity) / 60;
// Check timeout and logout if exceeded
if ($idleMinutes > $timeoutMinutes) {
Auth::logout();
$request->session()->invalidate();
return redirect()->route('login')
->with('status', __('Your session has expired due to inactivity.'));
}
```
---
### 4. Registered Middleware in Kernel ✅
**File:** `app/Http/Kernel.php`
**Change:** Added ProfileSessionTimeout middleware to web middleware group
**Position:** After `StartSession` but before other auth-related middleware
```php
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\App\Http\Middleware\ProfileSessionTimeout::class, // ← NEW
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
// ...
],
```
---
### 5. Updated Session Configuration ✅
**File:** `config/session.php`
**Changes:**
1. Updated SESSION_LIFETIME default from 480 to 120 minutes
2. Added comment explaining profile_timeouts override this value
**Before:**
```php
'lifetime' => env('SESSION_LIFETIME', 480),
```
**After:**
```php
/*
| NOTE: This is overridden by profile_timeouts in platform config.
| See config/timebank_cc.php -> 'profile_timeouts' for actual timeouts.
| This value serves as a fallback only.
*/
'lifetime' => env('SESSION_LIFETIME', 120),
```
---
### 6. Updated Platform Config Documentation ✅
**Files:**
- `config/timebank_cc.php`
- `config/timebank_cc.php.example`
- `config/timebank-default.php`
- `config/timebank-default.php.example`
**Section Renamed:** "Profile Inactivity" → "Profile Session Timeouts"
**Enhanced Documentation:**
```php
/*
|--------------------------------------------------------------------------
| Profile Session Timeouts
|--------------------------------------------------------------------------
|
| Define the inactivity timeout in minutes for each profile type.
| After the specified timeout, the user's session will expire and they
| will be logged out automatically. This provides security by ensuring
| inactive sessions are terminated.
|
| IMPORTANT: These timeouts OVERRIDE the SESSION_LIFETIME setting from .env
| They are enforced by ProfileSessionTimeout middleware.
|
| Security Best Practices:
| - User profiles: Short timeout (10-30 min) for regular accounts
| - Organizations: Medium timeout (30-60 min) for community profiles
| - Banks: Short timeout (15-30 min) for financial operations
| - Admins: Very short timeout (15-30 min) for privileged access
|
*/
'profile_timeouts' => [
App\Models\User::class => 10, // minutes
App\Models\Organization::class => 60,
App\Models\Bank::class => 30,
App\Models\Admin::class => 360, // TODO: change to 30 for production
],
'profile_timeout_default' => 120, // minutes. Fallback default
```
---
## Current Session Timeout Configuration
### Profile-Specific Timeouts (config/timebank_cc.php)
| Profile Type | Timeout | Duration | Security Level |
|--------------|---------|----------|----------------|
| **User** | 10 min | 10 minutes | High (short for regular users) |
| **Organization** | 60 min | 1 hour | Medium (longer for community work) |
| **Bank** | 30 min | 30 minutes | High (financial operations) |
| **Admin** | 360 min | 6 hours | LOW ⚠️ (TODO: reduce to 30 min) |
| **Default** | 120 min | 2 hours | Fallback |
### Environment Configuration
**File:** `.env`
```
SESSION_LIFETIME=120
```
**Note:** This value is now overridden by profile_timeouts. It serves only as a fallback for the ProfileSessionTimeout middleware.
---
## Security Improvements
### Before (With Remember Me)
❌ **Problems:**
- Sessions lasted 90 days with Remember Me checkbox
- Users could remain logged in for months
- Increased risk on shared computers
- Privacy policy didn't disclose long sessions
- Single timeout for all profile types
### After (Profile-Based Timeouts)
✅ **Improvements:**
- No long-term authentication tokens
- Profile-specific timeouts (10-360 minutes)
- Automatic logout after inactivity
- Clear session expiration messages
- Better security for financial transactions
- Granular control per profile type
---
## Testing Required
### Test 1: User Session Timeout (10 minutes)
```bash
# 1. Log in as regular user (e.g., user 161)
# 2. Wait 10 minutes without activity
# 3. Try to navigate to any page
# Expected: Automatic logout with "session expired" message
```
### Test 2: Organization Session Timeout (60 minutes)
```bash
# 1. Log in as user, switch to organization profile
# 2. Wait 60 minutes without activity
# 3. Try to navigate to any page
# Expected: Automatic logout after 60 minutes
```
### Test 3: Profile Switch Timeout Behavior
```bash
# 1. Log in as user (10 min timeout)
# 2. Wait 5 minutes
# 3. Switch to organization (60 min timeout)
# 4. Wait 10 more minutes (15 total since login)
# Expected: Still logged in (organization has 60 min timeout)
```
### Test 4: Activity Keeps Session Alive
```bash
# 1. Log in as user (10 min timeout)
# 2. Every 5 minutes, navigate to a page
# 3. Continue for 30 minutes
# Expected: Session remains active because of continuous activity
```
### Test 5: Logout Clears Last Activity
```bash
# 1. Log in as user
# 2. Navigate around (establishes last_activity_at)
# 3. Log out
# 4. Log in again immediately
# Expected: New session starts, last_activity_at reset
```
---
## Database Impact
### Sessions Table
No schema changes required. The middleware stores `last_activity_at` in the session data:
```php
session(['last_activity_at' => now()->timestamp]);
```
### Remember Tokens
The `remember_token` column in the users table will no longer be used by authentication, but doesn't need to be removed (Laravel may use it for other purposes).
---
## Files Summary
### Created (1 file)
1. `app/Http/Middleware/ProfileSessionTimeout.php` - New middleware
### Modified (13 files)
**Views (3 files):**
1. `resources/views/auth/login.blade.php` - Removed Remember Me checkbox
2. `resources/views/livewire/login.blade.php` - Removed hidden remember field
3. `resources/views/livewire/registration.blade.php` - Removed hidden remember field
**Config (8 files):**
1. `config/timebank_cc.php` - Removed remember_me_days, updated documentation
2. `config/timebank_cc.php.example` - Same changes
3. `config/timebank-default.php` - Same changes
4. `config/timebank-default.php.example` - Same changes
5. `config/session.php` - Updated comments and default lifetime
**Middleware (1 file):**
6. `app/Http/Kernel.php` - Registered ProfileSessionTimeout middleware
**Documentation (2 files):**
7. `SESSION_EXPIRATION_ANALYSIS_2026-01-12.md` - Analysis document
8. `REMEMBER_ME_REMOVAL_2026-01-12.md` - This document
---
## Backward Compatibility
### Breaking Changes ⚠️
1. **Users with active Remember Me tokens** will be logged out after their profile timeout expires (10-360 minutes depending on profile type)
2. **No more 90-day sessions** - Maximum session is now determined by profile_timeouts (currently max 360 minutes for Admins)
3. **Session expiration behavior changed** - Users will experience more frequent logouts based on inactivity
### Migration Notes
**For Users:**
- No data loss
- Will need to log in more frequently
- Better security for their accounts
**For Admins:**
- Update privacy policy to remove Remember Me disclosure
- Monitor user feedback about session timeouts
- Consider adjusting profile_timeouts if needed
---
## Privacy Policy Updates Required
### Remove from Privacy Policy ⚠️
The following sections were added in the previous session and should now be REMOVED:
**From Section 3.4 (Technical Data):**
```markdown
- **Online presence data** (for real-time messaging features)
- Online/offline status
- Last seen timestamp
- Recent activity for presence detection (within 5-minute threshold)
- Data is automatically deleted after inactivity or when you log out
- **Authentication tokens** (for "Remember Me" feature) ← REMOVE THIS
- Optional remember me token (stored for 90 days if enabled) ← REMOVE THIS
- Automatically deleted when you log out or token expires ← REMOVE THIS
```
**From Section 9 (Security):**
```markdown
## Session Security
- Regular sessions expire after 2 hours of inactivity ← UPDATE THIS
- "Remember Me" feature (optional) keeps you logged in for 90 days ← REMOVE THIS
- Use only on trusted personal devices ← REMOVE THIS
- Always log out on shared or public computers ← REMOVE THIS
```
### Update to Say Instead:
**Section 9 (Security):**
```markdown
## Session Security
- Sessions expire automatically based on profile type and inactivity:
- User profiles: 10 minutes of inactivity
- Organization profiles: 60 minutes of inactivity
- Bank profiles: 30 minutes of inactivity
- Admin profiles: 6 hours of inactivity (to be reduced to 30 minutes)
- Sessions are encrypted and stored securely
- Automatic logout protects your account on shared computers
```
---
## Known Issues / TODO
### 1. Admin Timeout Too Long ⚠️
**Current:** 360 minutes (6 hours)
**Recommended:** 30 minutes
**File:** `config/timebank_cc.php` line 1413
```php
App\Models\Admin::class => 360, // TODO: change to 30 for production
```
**Action Required:** Update to 30 minutes before production deployment
### 2. User Timeout Very Short
**Current:** 10 minutes
**Consideration:** May be too aggressive for regular users
**Recommendation:** Consider increasing to 30 minutes based on user feedback
### 3. Session Sweep Lottery
The `sessions` table needs periodic cleanup. Laravel's session sweeper runs with lottery odds of 2/100.
**Verify this is running:**
```bash
# Check if old sessions are being cleaned up
mysql -u root -p timebank_cc -e "SELECT COUNT(*) as old_sessions FROM sessions WHERE last_activity < UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 2 HOUR));"
```
---
## Rollback Instructions
If needed to rollback these changes:
### 1. Restore Remember Me Checkbox
```bash
git diff HEAD~1 resources/views/auth/login.blade.php
git checkout HEAD~1 -- resources/views/auth/login.blade.php
git checkout HEAD~1 -- resources/views/livewire/login.blade.php
git checkout HEAD~1 -- resources/views/livewire/registration.blade.php
```
### 2. Restore remember_me_days Config
```bash
git checkout HEAD~1 -- config/timebank_cc.php
git checkout HEAD~1 -- config/timebank_cc.php.example
git checkout HEAD~1 -- config/timebank-default.php
git checkout HEAD~1 -- config/timebank-default.php.example
```
### 3. Remove ProfileSessionTimeout Middleware
```bash
# Remove from Kernel.php
# Delete app/Http/Middleware/ProfileSessionTimeout.php
rm app/Http/Middleware/ProfileSessionTimeout.php
```
---
## Deployment Checklist
- [ ] **Code review** - Review all changes
- [ ] **Update privacy policy** - Remove Remember Me disclosure
- [ ] **Test session timeouts** - Verify timeouts work for all profile types
- [ ] **Monitor logs** - Check for ProfileSessionTimeout log entries
- [ ] **User communication** - Notify users of changed session behavior
- [ ] **Reduce admin timeout** - Change from 360 to 30 minutes
- [ ] **Clear cache** - `php artisan config:clear`
- [ ] **Restart queue workers** - If using queue workers
---
## Verification Commands
### Check Config is Loaded
```bash
php artisan tinker
>>> config('timebank_cc.profile_timeouts')
>>> config('session.lifetime')
```
### Test Middleware is Registered
```bash
php artisan route:list --middleware=web | grep ProfileSessionTimeout
```
### Monitor Session Timeouts
```bash
# Watch application logs for timeout events
tail -f storage/logs/laravel.log | grep "Session timeout"
```
---
## Conclusion
✅ **Successfully removed Remember Me feature**
✅ **Implemented profile-based session timeouts**
✅ **Improved security with granular timeout control**
✅ **Better aligned with time banking security requirements**
### Next Steps
1. **Test thoroughly** - Verify all profile types timeout correctly
2. **Update privacy policy** - Remove Remember Me disclosure
3. **Reduce admin timeout** - From 360 to 30 minutes for production
4. **Monitor user feedback** - Adjust timeouts if needed
5. **Deploy to production** - After testing complete
---
**Report Generated:** 2026-01-12
**Implementation Status:** Complete ✅
**Testing Status:** Pending ⏳
**Deployment Status:** Ready for testing