~nevkontakte


#132 Make CSRF token expiration configurable 1 year, 6 months ago

Comment by ~nevkontakte on ~tsileo/microblog.pub

Thank you!

#137 Login session lifetime 1 year, 7 months ago

Comment by ~nevkontakte on ~tsileo/microblog.pub

I believe session_timeout = 123 would work, where 123 is the duration in seconds. However, as I described above, that won't buy you much because of the limited cookie lifetime.

#137 Login session lifetime 1 year, 7 months ago

Ticket created by ~nevkontakte on ~tsileo/microblog.pub

I noticed a few issues with the admin login session:

  • Although session_timeout can be changed in the config, the cookie lifetime is limited to a single browser session, so whenever a browser is restarted, you have to log in again. This is particularly inconvenient on mobile, where the OS tends to unload the browser pretty aggressively.
  • It seems like the cookie is never refreshed after login, which means you'll be forced to re-authenticate after the session_timeout since the login, even if you've been using the app all along. I think it would be better to refresh the cookie regularly to prevent that.

I'd be happy to propose a patch for both issues.

#132 Make CSRF token expiration configurable 1 year, 7 months ago

Ticket created by ~nevkontakte on ~tsileo/microblog.pub

Currently CSRF token timeout is hard-coded at 1800 seconds. This often becomes inconvenient when I want to perform an action on a page that I loaded a while ago. A couple of typical cases:

  • Reading the timeline on a phone is often done in small chunks of time, so I load a page and slowly scroll through it. If I attempt to like something later than half an hour, it fails with a CSRF error. Reloading the page is also not ideal because it loses my reading position.
  • Writing any non-trivial post may take longer than 30m, especially if I have to look up/research something.

For myself, I don't see much threat from increasing CSRF lifetime to something on the order of several hours, so I would like to have that option.

#86 Optional postgres support 1 year, 11 months ago

Comment by ~nevkontakte on ~tsileo/microblog.pub

I see, that's fair. SQLite it is then. Thanks for a quick response!

#86 Optional postgres support 1 year, 11 months ago

Ticket created by ~nevkontakte on ~tsileo/microblog.pub

It would be nice if microblog.pub allowed using Postgres as a database, instead of SQLite. After a quick glance over the code it doesn't seem like there is anything SQLite-specific about the app, other than the hard-coded database connection string, so maybe it wouldn't be hard to add?

I know that for many SQLite is very convenient for its low setup overhead, but in my case, I already run a Postgres server which a few of my apps use, and I have all necessary infrastructure around it, such as backups, so consolidating all data in one place would simplify some things for me.

Thanks!