✨ Separation of voting session time and bearer token lifetime (#359)

Parent issue: sequentech/meta#762

config.yml

@@ -1163,8 +1163,14 @@ config:
     # default: true
     allow_deregister: true
 
-    # Number of seconds after which an authentication token expires.
-    auth_token_expiration_seconds: 600
+    # Number of seconds after which an smartlink authentication token expires.
+    smartlink_token_expiration_seconds: 90
+
+    # Minimum session duration for a voter
+    access_auth_token_expiration_seconds: 60
+
+    # Maximum session duration for a voter (after renewing the access token)
+    refresh_auth_token_expiration_seconds: 600
 
     # Number of seconds after which an authentication token expires for admin
     # users

doc/production/config.auth.yml

@@ -194,6 +194,13 @@ config:
     # value is low to avoid denial of service attacks.
     client_max_header_size: 8k
 
+    # This changes proxy_connect_timeout/proxy_send_timeout/proxy_read_timeout
+    # in the nginx web server.
+    # Any request to the server will timeout with a 504 code if the server
+    # doesn't answer after this time.
+    # Note that this value is not higher to avoid denial of service attacks.
+    nginx_timeout_secs: 120
+
     # Path of the TLS PEM public certificate.
     #
     # Requirements:
@@ -428,6 +435,10 @@ config:
     # using their certificates as client certificates.
     ssl_port: 14453
 
+    # Numbers of seconds memcached mantains a cached item (an election)
+    # in the cache. By default it's 5 seconds.
+    cache_expiration_seconds: 5
+
     # Password used to encrypt the authorities' public keys for usage in
     # ballot-box.
     keystore_pass: '<PASSWORD>'
@@ -1147,8 +1158,14 @@ config:
     # default: true
     allow_deregister: true
 
-    # Number of seconds after which an authentication token expires.
-    auth_token_expiration_seconds: 600
+    # Number of seconds after which an smartlink authentication token expires.
+    smartlink_token_expiration_seconds: 90
+
+    # Minimum session duration for a voter
+    access_auth_token_expiration_seconds: 60
+
+    # Maximum session duration for a voter (after renewing the access token)
+    refresh_auth_token_expiration_seconds: 600
 
     # Number of seconds after which an authentication token expires for admin
     # users
@@ -1193,6 +1210,25 @@ config:
     # Allowed values: (user-and-password|email|email-otp|sms|sms-otp|openid-connect)
     auth_method: 'user-and-password'
 
+    # Enter the AWS credentials and configuration. Used for sending SMS using
+    # the 'aws-sns' SMS Provider. For more information, see
+    # https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html#using-boto3
+    aws:
+      # configures the content of the `~/.aws/credentials` file:
+      credentials: |
+        [default]
+        aws_access_key_id = AWS_ACCESS_KEY_ID
+        aws_secret_access_key = AWS_SECRET_ACCESS_KEY
+      # configures the content of the `~/.aws/config` file:
+      config: |
+        [default]
+        region=eu-west-1
+      # Sets the configuration for authentication messages sent by the AWS SNS
+      # provider
+      sns_message_attributes:
+        AWS.SNS.SMS.SenderID: "{'DataType': 'String', 'StringValue': 'SEQUENT'}"
+        AWS.SNS.SMS.SMSType: "{'DataType': 'String', 'StringValue': 'Transactional'}"
+
     # Defines the extra fields used in authentication and registration. Empty by
     # default
     extra_fields: >

doc/production/config.master.yml

@@ -194,6 +194,13 @@ config:
     # value is low to avoid denial of service attacks.
     client_max_header_size: 8k
 
+    # This changes proxy_connect_timeout/proxy_send_timeout/proxy_read_timeout
+    # in the nginx web server.
+    # Any request to the server will timeout with a 504 code if the server
+    # doesn't answer after this time.
+    # Note that this value is not higher to avoid denial of service attacks.
+    nginx_timeout_secs: 120
+
     # Path of the TLS PEM public certificate.
     #
     # Requirements:
@@ -428,6 +435,10 @@ config:
     # using their certificates as client certificates.
     ssl_port: 14453
 
+    # Numbers of seconds memcached mantains a cached item (an election)
+    # in the cache. By default it's 5 seconds.
+    cache_expiration_seconds: 5
+
     # Password used to encrypt the authorities' public keys for usage in
     # ballot-box.
     keystore_pass: '<PASSWORD>'
@@ -1147,8 +1158,14 @@ config:
     # default: true
     allow_deregister: true
 
-    # Number of seconds after which an authentication token expires.
-    auth_token_expiration_seconds: 600
+    # Number of seconds after which an smartlink authentication token expires.
+    smartlink_token_expiration_seconds: 90
+
+    # Minimum session duration for a voter
+    access_auth_token_expiration_seconds: 60
+
+    # Maximum session duration for a voter (after renewing the access token)
+    refresh_auth_token_expiration_seconds: 600
 
     # Number of seconds after which an authentication token expires for admin
     # users
@@ -1193,6 +1210,25 @@ config:
     # Allowed values: (user-and-password|email|email-otp|sms|sms-otp|openid-connect)
     auth_method: 'user-and-password'
 
+    # Enter the AWS credentials and configuration. Used for sending SMS using
+    # the 'aws-sns' SMS Provider. For more information, see
+    # https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html#using-boto3
+    aws:
+      # configures the content of the `~/.aws/credentials` file:
+      credentials: |
+        [default]
+        aws_access_key_id = AWS_ACCESS_KEY_ID
+        aws_secret_access_key = AWS_SECRET_ACCESS_KEY
+      # configures the content of the `~/.aws/config` file:
+      config: |
+        [default]
+        region=eu-west-1
+      # Sets the configuration for authentication messages sent by the AWS SNS
+      # provider
+      sns_message_attributes:
+        AWS.SNS.SMS.SenderID: "{'DataType': 'String', 'StringValue': 'SEQUENT'}"
+        AWS.SNS.SMS.SMSType: "{'DataType': 'String', 'StringValue': 'Transactional'}"
+
     # Defines the extra fields used in authentication and registration. Empty by
     # default
     extra_fields: >

iam/templates/deploy.py

@@ -96,10 +96,15 @@ def on_celery_setup_logging(**kwargs):
 
 SHARED_SECRET = b'{{config.ballot_box.shared_secret}}'
 
-TIMEOUT = {{config.iam.auth_token_expiration_seconds}}
+SMARTLINK_TIMEOUT = {{config.iam.smartlink_token_expiration_seconds}}
+
+ACCESS_TIMEOUT = {{config.iam.access_auth_token_expiration_seconds}}
+
+REFRESH_TIMEOUT = {{config.iam.refresh_auth_token_expiration_seconds}}
 
 ADMIN_TIMEOUT = {{config.iam.admin_auth_token_expiration_seconds}}
 
+
 SECRET_KEY = '{{ config.global_secret_key }}'
 HOME_URL = "https://{{ config.ballot_box.domain }}/election/__EVENT_ID__/public/home"
 

iam/templates/test_settings.py

@@ -66,10 +66,16 @@ class CeleryConfig:
 
 ALLOWED_HOSTS = []
 
-TIMEOUT = 300
+SMARTLINK_TIMEOUT = 90
+
+ACCESS_TIMEOUT = 60
+
+REFRESH_TIMEOUT = 600
 
 ADMIN_TIMEOUT = 3000
 
+REFRESH_TIMEOUT = 300
+
 ADMIN_AUTH_ID = 1
 
 ALLOW_ADMIN_AUTH_REGISTRATION = False

sequent-ui/templates/SequentConfig.js

@@ -405,7 +405,7 @@ var SequentConfigData = {
   ],
 
   // Number of seconds after which an authentication token expires.
-  authTokenExpirationSeconds: {{ config.iam.auth_token_expiration_seconds }},
+  authTokenExpirationSeconds: {{ config.iam.access_auth_token_expiration_seconds }},
 
   // Allow to tally multiple times and when election is open.
   enableMultipleTallies: {% if config.enable_multiple_tallies %}true{% else %}false{% endif %},