add constants for max time and life time

AzureAD · Sep 22, 2016 · 353999e · 353999e
1 parent 2ac42b0
commit 353999e
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/lib/oidcstrategy.js b/lib/oidcstrategy.js
@@ -58,6 +58,16 @@ const memoryCache = cacheManager.caching({ store: 'memory', max: 3600, ttl: 1800
 const ttl = 1800; // 30 minutes cache
 // Note: callback is optional in set() and del().
 
+// For each microsoft login page, we generate a tuple containing nonce/state/etc, and save it in session.
+// 1. NONCE_LIFE_TIME is the default life time of the tuple. The default value is 3600 seconds. The life
+//    time is configurable by user.
+// 2. NONCE_MAX_AMOUNT is the max amount of tuples a user's session can have. We limit it to 10.
+//    This value limits the amount of microsoft login page tabs a user can open before the user types
+//    username and password to 10. If the user opens more than 10 login tabs, we only honor the most 
+//    recent 10 tabs within the life time.
+const NONCE_MAX_AMOUNT = 10;
+const NONCE_LIFE_TIME = 3600; // second
+
 function makeProfileObject(src, raw) {
   return {
     // Prior to OpenID Connect Basic Client Profile 1.0 - draft 22, the
@@ -146,7 +156,7 @@ function onProfileLoaded(strategy, args) {
  *   - `responseMode`       For login only flows we should have token passed back to us in a POST
  *   - `validateIssuer`     if you have validation on, you cannot have users from multiple tenants sign in
  *   - `passReqToCallback`  if you want the Req to go back to the calling function for other processing use this.
- *   - `nonceLifetime`      the lifetime of nonce in session, default is 3600s = 60 minutes
+ *   - `nonceLifetime`      the lifetime of nonce in session, default is NONCE_LIFE_TIME
  *
  * Examples:
  *
@@ -197,7 +207,7 @@ function Strategy(options, verify) {
   // normally user won't keep opening microsoft login page in new tabs without putting their 
   // password for more than 10 tabs, so we only keep the most recent 10 tuples in session.
   // The lifetime of each tuple is 60 minutes or user specified.
-  this._sessionContentHandler = new SessionContentHandler(10, options.nonceLifetime || 3600);
+  this._sessionContentHandler = new SessionContentHandler(NONCE_MAX_AMOUNT, options.nonceLifetime || NONCE_LIFE_TIME);
 
   /* When a user is authenticated for the first time, passport adds a new field
    * to req.session called 'passport', and puts a 'user' property inside (or your