From 2c74aa6f510070d742480047240704e757189799 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= <byewokko@seznam.cz>
Date: Mon, 19 Aug 2024 16:32:09 +0200
Subject: [PATCH 1/2] Session expiry date must be the same as the expiration of
 its ACCESS token

---
 seacatauth/openidconnect/service.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/seacatauth/openidconnect/service.py b/seacatauth/openidconnect/service.py
index 452d8b80..8007f8d2 100644
--- a/seacatauth/openidconnect/service.py
+++ b/seacatauth/openidconnect/service.py
@@ -579,6 +579,11 @@ async def get_session_by_access_token(self, token_value: str):
 			await self.TokenService.delete(token_bytes)
 			raise exceptions.SessionNotFoundError("Access token points to a nonexistent session")
 
+		# Session expiry date must be the same as the expiration of its ACCESS token,
+		# and it should be deleted after its REFRESH token expires.
+		# TODO: This is a hotfix. Replace with a systemic solution.
+		session.Session.Expiration = token_data["exp"]
+
 		return session
 
 

From ce8c0183a46757fb4c1f172736844bae5e6b83f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= <byewokko@seznam.cz>
Date: Mon, 19 Aug 2024 16:46:15 +0200
Subject: [PATCH 2/2] update CHANGELOG.md

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d4e848e8..26b29a82 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## v24.29
 
 ### Pre-releases
+- v24.29-alpha7
 - v24.29-alpha6
 - v24.29-alpha5
 - v24.29-alpha4
@@ -11,6 +12,7 @@
 - v24.29-alpha1
 
 ### Fix
+- Hotfix: Session expiration in userinfo must match access token expiration (#414, `v24.29-alpha7`)
 - Non-editable items are marked with read_only flag (#411, `v24.29-alpha5`)
 - Handle session decryption error (#410, `v24.29-alpha2`)