add IDLE_TIME check

Author: bugov

README.rst

@@ -25,6 +25,18 @@ Append to `settings` middlewares:
         'django_auto_logout.middleware.auto_logout',
     )
 
+Logout in case of idle
+----------------------
+
+Logout a user if there are no requests for a long time.
+
+Add to `settings`:
+
+.. code:: python
+
+    AUTO_LOGOUT = {'IDLE_TIME': 600}  # logout after 10 minutes of downtime
+
+
 Limit session time
 ------------------
 
@@ -35,3 +47,18 @@ Add to `settings`:
 .. code:: python
 
     AUTO_LOGOUT = {'SESSION_TIME': 3600}
+
+Combine configurations
+----------------------
+
+You can combine previous configurations. For example, you may want to logout a user
+in case of downtime (5 minutes or more) and not allow working within one session
+for more than half an hour:
+
+
+.. code:: python
+
+    AUTO_LOGOUT = {
+        'IDLE_TIME': 300,  # 5 minutes
+        'SESSION_TIME': 1800,  # 30 minutes
+    }

django_auto_logout/__init__.py

@@ -1 +1 @@
-__version__ = '0.1.1'
+__version__ = '0.2.0'

django_auto_logout/middleware.py

@@ -19,10 +19,29 @@ def _auto_logout(request: HttpRequest, options):
     else:
         now = datetime.now()
 
-    if 'SESSION_TIME' in options:
-        ttl = options['SESSION_TIME']
-        should_logout = user.last_login < now - timedelta(seconds=ttl)
-        logger.debug('Check SESSION_TIME: %s < %s (%s)', user.last_login, now, should_logout)
+    if options.get('SESSION_TIME') is not None:
+        ttl = timedelta(seconds=options['SESSION_TIME'])
+        time_expired = user.last_login < now - ttl
+        should_logout |= time_expired
+        logger.debug('Check SESSION_TIME: %s < %s (%s)', user.last_login, now, time_expired)
+
+    if options.get('IDLE_TIME') is not None:
+        ttl = timedelta(seconds=options['IDLE_TIME'])
+
+        if 'django_auto_logout_last_touch' in request.session:
+            last_touch = datetime.fromisoformat(request.session['django_auto_logout_last_touch'])
+        else:
+            last_touch = now
+            request.session['django_auto_logout_last_touch'] = last_touch.isoformat()
+
+        time_expired = last_touch < now - ttl
+        should_logout |= time_expired
+        logger.debug('Check IDLE_TIME: %s < %s (%s)', last_touch, now, time_expired)
+
+        if should_logout:
+            del request.session['django_auto_logout_last_touch']
+        else:
+            request.session['django_auto_logout_last_touch'] = now.isoformat()
 
     if should_logout:
         logger.debug('Logout user %s', user)

example/example/settings.py

@@ -49,6 +49,7 @@
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+
     'django_auto_logout.middleware.auto_logout',
 ]
 
@@ -161,3 +162,7 @@
 
 
 # DJANGO AUTO LOGIN
+AUTO_LOGOUT = {
+    'IDLE_TIME': 300,  # 5 minutes
+    'SESSION_TIME': 1800,  # 30 minutes
+}

example/some_app_login_required/tests.py

@@ -12,23 +12,93 @@ def setUp(self):
         self.superuser = UserModel.objects.create_superuser('superuser', 'superuser@localhost', 'pass')
         self.url = '/login-required/'
 
-    def _logout_session_time(self):
-        settings.AUTO_LOGOUT = {'SESSION_TIME': 1}
+    def assertLoginRequiredIsOk(self):
+        resp = self.client.get(self.url)
+        self.assertContains(resp, 'login required view', msg_prefix='Fine with authorized')
+
+    def assertLoginRequiredRedirect(self):
         resp = self.client.get(self.url)
         self.assertRedirects(resp, f'{settings.LOGIN_URL}?next={self.url}', msg_prefix='Redirect for anonymous')
 
+    def _logout_session_time(self):
+        settings.AUTO_LOGOUT = {'SESSION_TIME': 1}
+        self.assertLoginRequiredRedirect()
+
         self.client.force_login(self.user)
-        resp = self.client.get(self.url)
-        self.assertContains(resp, 'login required view', msg_prefix='Fine with authorized')
+        self.assertLoginRequiredIsOk()
 
         sleep(1)
-        resp = self.client.get(self.url)
-        self.assertRedirects(resp, f'{settings.LOGIN_URL}?next={self.url}', msg_prefix='Logout on session time expired')
+        self.assertLoginRequiredRedirect()
 
     def test_logout_session_time(self):
         settings.USE_TZ = False
         self._logout_session_time()
 
-    def test_logout_session_time_using_tz(self):
+    def test_logout_session_time_using_tz_utc(self):
+        settings.USE_TZ = True
+        self._logout_session_time()
+
+    def test_logout_session_time_using_tz_non_utc(self):
         settings.USE_TZ = True
+        settings.TIME_ZONE = 'Asia/Yekaterinburg'
         self._logout_session_time()
+
+    def test_logout_idle_time_no_idle(self):
+        settings.AUTO_LOGOUT = {'IDLE_TIME': 1}
+        self.client.force_login(self.user)
+        self.assertLoginRequiredIsOk()
+
+        for _ in range(10):
+            sleep(0.5)
+            self.assertLoginRequiredIsOk()
+
+    def test_logout_idle_time(self):
+        settings.AUTO_LOGOUT = {'IDLE_TIME': 1}
+        self.client.force_login(self.user)
+        self.assertLoginRequiredIsOk()
+
+        sleep(1.5)
+        self.assertLoginRequiredRedirect()
+
+    def test_combine_idle_and_session_time(self):
+        settings.AUTO_LOGOUT = {
+            'IDLE_TIME': 1,
+            'SESSION_TIME': 2,
+        }
+
+        self.client.force_login(self.user)
+        self.assertLoginRequiredIsOk()
+
+        sleep(0.5)
+        self.assertLoginRequiredIsOk()
+        sleep(0.5)
+        self.assertLoginRequiredIsOk()
+        sleep(0.5)
+        self.assertLoginRequiredIsOk()
+        sleep(0.5)
+        self.assertLoginRequiredRedirect()
+
+    def test_combine_idle_and_session_time_but_session_less_than_idle(self):
+        settings.AUTO_LOGOUT = {
+            'IDLE_TIME': 2,
+            'SESSION_TIME': 1,
+        }
+
+        self.client.force_login(self.user)
+        self.assertLoginRequiredIsOk()
+        sleep(0.5)
+        self.assertLoginRequiredIsOk()
+        sleep(0.5)
+        self.assertLoginRequiredRedirect()
+
+        self.client.force_login(self.user)
+        self.assertLoginRequiredIsOk()
+        sleep(0.5)
+        self.assertLoginRequiredIsOk()
+        sleep(0.5)
+        self.assertLoginRequiredRedirect()
+
+        self.client.force_login(self.user)
+        self.assertLoginRequiredIsOk()
+        sleep(1)
+        self.assertLoginRequiredRedirect()