diff --git a/pkg/auth/token/config.go b/pkg/auth/token/config.go index 63903239a..d482c5f4d 100644 --- a/pkg/auth/token/config.go +++ b/pkg/auth/token/config.go @@ -17,17 +17,25 @@ package token import ( - "strconv" + "time" "github.com/minio/console/pkg/auth/utils" "github.com/minio/pkg/env" ) -// ConsoleSTSDurationSeconds returns the default session duration for the STS requested tokens. -func GetConsoleSTSDurationInSeconds() int { - duration, err := strconv.Atoi(env.Get(ConsoleSTSDurationSeconds, "3600")) +// GetConsoleSTSDuration returns the default session duration for the STS requested tokens (defaults to 1h) +func GetConsoleSTSDuration() time.Duration { + durationSeconds := env.Get(ConsoleSTSDurationSeconds, "") + if durationSeconds != "" { + duration, err := time.ParseDuration(durationSeconds + "s") + if err != nil { + duration = 1 * time.Hour + } + return duration + } + duration, err := time.ParseDuration(env.Get(ConsoleSTSDuration, "1h")) if err != nil { - duration = 3600 + duration = 1 * time.Hour } return duration } diff --git a/pkg/auth/token/const.go b/pkg/auth/token/const.go index f964df3db..17182269b 100644 --- a/pkg/auth/token/const.go +++ b/pkg/auth/token/const.go @@ -17,7 +17,8 @@ package token const ( - ConsoleSTSDurationSeconds = "CONSOLE_STS_DURATION_SECONDS" + ConsoleSTSDurationSeconds = "CONSOLE_STS_DURATION_SECONDS" // (deprecated), set value in seconds for sts session, ie: 3600 + ConsoleSTSDuration = "CONSOLE_STS_DURATION" // time.Duration format, ie: 3600s, 2h45m, 1h, etc ConsolePBKDFPassphrase = "CONSOLE_PBKDF_PASSPHRASE" ConsolePBKDFSalt = "CONSOLE_PBKDF_SALT" ) diff --git a/restapi/client.go b/restapi/client.go index ba92541cd..bf41d5d0e 100644 --- a/restapi/client.go +++ b/restapi/client.go @@ -326,7 +326,7 @@ func NewConsoleCredentials(accessKey, secretKey, location string) (*credentials. AccessKey: accessKey, SecretKey: secretKey, Location: location, - DurationSeconds: xjwt.GetConsoleSTSDurationInSeconds(), + DurationSeconds: int(xjwt.GetConsoleSTSDuration()), } stsAssumeRole := &credentials.STSAssumeRole{ Client: GetConsoleHTTPClient(), diff --git a/restapi/config.go b/restapi/config.go index 151c6a19e..90eeeaad4 100644 --- a/restapi/config.go +++ b/restapi/config.go @@ -23,7 +23,6 @@ import ( "net/url" "strconv" "strings" - "time" miniov2 "github.com/minio/operator/pkg/apis/minio.min.io/v2" @@ -46,9 +45,6 @@ var ( // TLSRedirect console tls redirect rule TLSRedirect = "on" - - // SessionDuration cookie validity duration - SessionDuration = 45 * time.Minute ) func getMinIOServer() string { diff --git a/restapi/utils.go b/restapi/utils.go index e77b28bed..314df8400 100644 --- a/restapi/utils.go +++ b/restapi/utils.go @@ -23,6 +23,8 @@ import ( "os" "strings" "time" + + xjwt "github.com/minio/console/pkg/auth/token" ) // Do not use: @@ -106,12 +108,13 @@ func FileExists(filename string) bool { } func NewSessionCookieForConsole(token string) http.Cookie { + sessionDuration := xjwt.GetConsoleSTSDuration() return http.Cookie{ Path: "/", Name: "token", Value: token, - MaxAge: int(SessionDuration.Seconds()), // 45 minutes - Expires: time.Now().Add(SessionDuration), + MaxAge: int(sessionDuration.Seconds()), // default 1 hr + Expires: time.Now().Add(sessionDuration), HttpOnly: true, // if len(GlobalPublicCerts) > 0 is true, that means Console is running with TLS enable and the browser // should not leak any cookie if we access the site using HTTP