lib/gds-sso/warden_config.rb in gds-sso-1.1.1 vs lib/gds-sso/warden_config.rb in gds-sso-1.2.0

@@ -7,14 +7,20 @@
   # If they were remotely signed out, clear the flag as they're no longer suspended
   user.clear_remotely_signed_out!
 end
 
 Warden::Manager.serialize_into_session do |user|
-  user.respond_to?(:uid) ? user.uid : nil
+  user.respond_to?(:uid) ? [user.uid, Time.now.utc] : nil
 end
 
-Warden::Manager.serialize_from_session do |uid|
-  GDS::SSO::Config.user_klass.find_by_uid(uid)
+Warden::Manager.serialize_from_session do |tuple|
+  # This will reject old sessions that don't have an auth_set time
+  uid, auth_set = tuple
+  if auth_set and (auth_set + GDS::SSO::Config.auth_valid_for) > Time.now.utc
+    GDS::SSO::Config.user_klass.find_by_uid(uid)
+  else
+    nil
+  end
 end
 
 Warden::Strategies.add(:gds_sso) do
   def valid?
     ! ::GDS::SSO::ApiAccess.api_call?(env)