From a58da114d830fb595f1b2651fd3512d0eea5e30d Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@fakecake.org>
Date: Wed, 21 Feb 2024 21:32:42 +0300
Subject: periodically verify oidc refreshtoken

---
 include/sessions.php | 22 ++++++++++++++++++++++
 login.php            |  3 +++
 2 files changed, 25 insertions(+)

diff --git a/include/sessions.php b/include/sessions.php
index 556edb9..c561190 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -1,6 +1,8 @@
 <?php
 	require_once "common.php";
 
+	use Jumbojett\OpenIDConnectClient;
+
 	$session_name = Config::get(Config::SESSION_NAME);
 	$session_expire = Config::get(Config::SESSION_LIFETIME);
 
@@ -29,6 +31,26 @@
 	function validate_session() : bool {
 		if (!empty($_SESSION["owner"])) {
 
+			// verify oidc refresh token once an hour
+			if (($_SESSION["refresh_token"] ?? false) && $_SESSION["refresh_token_last_check"] < time() - 3600) {
+
+				$oidc = new OpenIDConnectClient(Config::get(Config::OIDC_URL),
+					Config::get(Config::OIDC_CLIENT_ID),
+					Config::get(Config::OIDC_CLIENT_SECRET));
+
+				try {
+					$data = $oidc->introspectToken($_SESSION["refresh_token"]);
+
+					if (!$data->active)
+						return false;
+
+					$_SESSION["refresh_token_last_check"] = time();
+
+				} catch (Exception $e) {
+					return false;
+				}
+			}
+
 			$user = ORM::for_table('epube_users')
 				->where('username', $_SESSION['owner'])
 				->find_one();
diff --git a/login.php b/login.php
index 96375d7..36d1890 100644
--- a/login.php
+++ b/login.php
@@ -71,6 +71,9 @@
 
 					session_regenerate_id(true);
 
+					$_SESSION["refresh_token"] = $oidc->getRefreshToken();
+					$_SESSION["refresh_token_last_check"] = time();
+
 					$_SESSION["owner"] = $username;
 					$_SESSION["pass_hash"] = sha1($user->pass);
 					$_SESSION["csrf_token"] = bin2hex(random_bytes(16));
-- 
cgit v1.2.3