GUACAMOLE-1289: Migrate to minute-granularity timeouts for Duo (default of 5 minutes).

2025-09-06 05:07:41 +00:00 · 2024-04-25 16:18:33 -07:00
parent 23ed76d460
commit 3859fd2f1c
2 changed files with 16 additions and 13 deletions
--- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
+++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
@@ -151,7 +151,7 @@ public class UserVerificationService {
            // GUAC_PASSWORD tokens continue to work as expected despite the
            // redirect to/from the external Duo service)
            duoState = duoClient.generateState();
-            long expirationTimestamp = System.currentTimeMillis() + (confService.getAuthTimeout() * 1000L);
+            long expirationTimestamp = System.currentTimeMillis() + (confService.getAuthenticationTimeout() * 60000L);
            sessionManager.defer(new DuoAuthenticationSession(credentials, expirationTimestamp), duoState);

            // Obtain authentication URL from Duo client
--- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java
+++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java
@@ -94,7 +94,7 @@ public class ConfigurationService {
    };
    
    /**
-     * The property that configures the timeout, in seconds, of in-progress
+     * The property that configures the timeout, in minutes, of in-progress
     * Duo authentication attempts. Authentication attempts that take longer
     * than this period of time will be invalidated.
     */
@@ -171,19 +171,22 @@ public class ConfigurationService {
        return environment.getRequiredProperty(DUO_REDIRECT_URI);
    }

+
    /**
-     * Return the number of seconds after which in-progress authentication attempts with
-     * Duo should be invalidated. The default is 30 seconds.
+     * Returns the maximum amount of time to allow for an in-progress Duo
+     * authentication attempt to be completed, in minutes. A user that takes
+     * longer than this amount of time to complete authentication with Duo
+     * will need to try again.
     *
     * @return
-     *     The number of seconds after which in-progress Duo MFA attempts should
-     *     be invalidated.
+     *     The maximum amount of time to allow for an in-progress Duo
+     *     authentication attempt to be completed, in minutes.
     *
     * @throws GuacamoleException
-     *     If guacamole.properties cannot be parsed.
+     *     If the authentication timeout cannot be parsed.
     */
-    public int getAuthTimeout() throws GuacamoleException {
-        return environment.getProperty(DUO_AUTH_TIMEOUT, 30);
+    public int getAuthenticationTimeout() throws GuacamoleException {
+        return environment.getProperty(DUO_AUTH_TIMEOUT, 5);
    }

 }