feat: follow new recommendation for idle/authentication timeouts

[paulswartz]

Summary of changes

• Idle timeout: 30 minutes
• Maximum session length: 12 hours

This aligns Arrow with the NIST SP 800-63 guidelines.

Reviewer Checklist

• Meets ticket's acceptance criteria
• Any new or changed functions have typespecs
• Tests were added for any new functionality (don't just rely on Codecov)
• This branch was deployed to the staging environment and is currently running with no unexpected increase in warnings, and no errors or crashes.

[github-actions]

Coverage of commit 6500abe

Summary coverage rate:
  lines......: 88.0% (683 of 776 lines)
  functions..: 59.5% (521 of 875 functions)
  branches...: no data found

Files changed coverage rate:
                                                                     |Lines       |Functions  |Branches    
  Filename                                                           |Rate     Num|Rate    Num|Rate     Num
  =========================================================================================================
  lib/arrow/ueberauth/strategy/fake.ex                               | 100%      7| 100%     7|    -      0
  lib/arrow_web/auth_manager.ex                                      |40.0%     10|18.5%    65|    -      0
  lib/arrow_web/auth_manager/error_handler.ex                        |83.3%      6| 100%     2|    -      0
  lib/arrow_web/auth_manager/pipeline.ex                             |83.3%      6|77.8%     9|    -      0
  lib/arrow_web/controllers/auth_controller.ex                       |75.0%     28|85.7%     7|    -      0

Download coverage report

[skyqrose]

Where do the iat and auth_time claims come from? I couldn't find any reference to them in ueberauth_oidcc

[paulswartz]

auth_time is coming from EntraID (via AuthController), and iat is from Guardian (all tokens have that claim).

[skyqrose]

A TTL of one minute? Could you set this token to expire when the iat expires or the auth_time expires, whichever comes first? Or would that prevent revoking access to accounts that are deactivated in EntraID?

[skyqrose]

Oh, is this so that you reset the 15 minute idle timeout (by having to refresh the token and get a new iat claim) on the next request after the 1m is up?

[paulswartz]

Exactly; the 1 minute makes sure this token is valid long enough for the next request to be made, at which point the token will be refreshed. It would also work to use the idle timeout here, but then this module also needs to reference the idle timeout value so it seemed cleaner to avoid that.