fix(api): expired sessions would not be destroyed

2025-12-17 05:57:56 +01:00 · 2022-03-03 08:46:48 +08:00 · 2022-03-03 08:46:48 +08:00 · 5ecc9c6785
commit 5ecc9c6785
parent fa04d9511a
1 changed files with 8 additions and 0 deletions
--- a/komga/src/main/kotlin/org/gotson/komga/infrastructure/security/SecurityConfiguration.kt
+++ b/komga/src/main/kotlin/org/gotson/komga/infrastructure/security/SecurityConfiguration.kt
@ -10,6 +10,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.builders.WebSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
+import org.springframework.security.core.session.SessionRegistry
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository
@ -33,6 +34,7 @@ class SecurityConfiguration(
  private val oidcUserService: OAuth2UserService<OidcUserRequest, OidcUser>,
  private val sessionCookieName: String,
  private val userAgentWebAuthenticationDetailsSource: WebAuthenticationDetailsSource,
+  private val sessionRegistry: SessionRegistry,
  clientRegistrationRepository: InMemoryClientRegistrationRepository?,
 ) : WebSecurityConfigurerAdapter() {

@ -71,6 +73,12 @@ class SecurityConfiguration(
        it.deleteCookies(sessionCookieName)
        it.invalidateHttpSession(true)
      }
+      .sessionManagement { session ->
+        session.sessionConcurrency {
+          it.sessionRegistry(sessionRegistry)
+          it.maximumSessions(-1)
+        }
+      }

    if (oauth2Enabled) {
      http.oauth2Login { oauth2 ->