.

app-code/api/auth/check_auth_key.php

@@ -2,11 +2,17 @@
 header('Content-Type: application/json');
 include "../../config/config.php";
 $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
+$sql="DELETE FROM auth_tokens WHERE valid_until < ?;";
+$stmt = mysqli_prepare($conn, $sql);
+mysqli_stmt_bind_param($stmt, 'i',$now);
+mysqli_stmt_execute($stmt);
+mysqli_stmt_close($stmt);
 
 $auth_key=$_GET["auth_token"];
-$sql="SELECT user_id FROM auth_tokens WHERE auth_token = ?;";
+$now=time();
+$sql="SELECT user_id FROM auth_tokens WHERE auth_token = ? AND valid_until > ?;";
 $stmt = mysqli_prepare($conn, $sql);
-mysqli_stmt_bind_param($stmt, 's', $auth_key);
+mysqli_stmt_bind_param($stmt, 'si', $auth_key,$now);
 mysqli_stmt_execute($stmt);
 mysqli_stmt_store_result($stmt);
 //if auth key is valid

app-code/api/login/redirect.php

@@ -46,10 +46,11 @@ else if ($_SESSION["needs_auth"]===false && $_SESSION["mfa_authenticated"]==1 &&
 	//fully authenticated
 	//create auth token which other services can then use to check if user logged in
 	$user_id=$_SESSION["id"];
+	$valid_until=time()+(15*60);
 	$auth_token=bin2hex(random_bytes(128));
-	$sql="INSERT INTO auth_tokens (auth_token,user_id) VALUES(?,?);";
+	$sql="INSERT INTO auth_tokens (auth_token,user_id, valid_until) VALUES(?,?,?);";
 	$stmt = mysqli_prepare($conn, $sql);
-	mysqli_stmt_bind_param($stmt, 'si', $auth_token,$user_id);
+	mysqli_stmt_bind_param($stmt, 'sii', $auth_token,$user_id,$valid_until);
 	mysqli_stmt_execute($stmt);
 	mysqli_stmt_close($stmt);
 	if(!empty($send_to)){

app-code/install/create_db.php

@@ -100,7 +100,8 @@
 			$sql="CREATE TABLE IF NOT EXISTS auth_tokens (
 			    id INT AUTO_INCREMENT PRIMARY KEY,
 			    auth_token VARCHAR(256),
-			    user_id INT
+			    user_id INT,
+			    valid_until INT
 			);";