From 15f6ec96327d69d19fcce937811214e113341f58 Mon Sep 17 00:00:00 2001
From: Inon S <InonS@users.noreply.github.com>
Date: Tue, 29 May 2018 11:07:16 +0300
Subject: [PATCH] LFS: make HTTP auth period configurable (#4035)

* LFS: make HTTP auth period configurable

* Formatting: Removed semicolon

Due to automated fmt-check failure (drone.gitea.io)

* applying code reviews

* Applied code review comment: Change HTTPAuthExpiry to time.Duration

* Updated config cheat sheet
---
 cmd/serv.go                                          |  2 +-
 custom/conf/app.ini.sample                           |  2 ++
 .../content/doc/advanced/config-cheat-sheet.en-us.md |  1 +
 modules/setting/setting.go                           | 12 ++++++++----
 4 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/cmd/serv.go b/cmd/serv.go
index 5d567e6d6..990355be9 100644
--- a/cmd/serv.go
+++ b/cmd/serv.go
@@ -268,7 +268,7 @@ func runServ(c *cli.Context) error {
 		claims := jwt.MapClaims{
 			"repo": repo.ID,
 			"op":   lfsVerb,
-			"exp":  now.Add(5 * time.Minute).Unix(),
+			"exp":  now.Add(setting.LFS.HTTPAuthExpiry).Unix(),
 			"nbf":  now.Unix(),
 		}
 		if user != nil {
diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample
index 184fa8e8c..ef88e5c32 100644
--- a/custom/conf/app.ini.sample
+++ b/custom/conf/app.ini.sample
@@ -189,6 +189,8 @@ LFS_START_SERVER = false
 LFS_CONTENT_PATH = data/lfs
 ; LFS authentication secret, change this yourself
 LFS_JWT_SECRET =
+; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
+LFS_HTTP_AUTH_EXPIRY = 20m
 
 ; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 [ssh.minimum_key_sizes]
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 69f588ebe..3f8ebea61 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -115,6 +115,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `LFS_START_SERVER`: **false**: Enables git-lfs support.
 - `LFS_CONTENT_PATH`: **./data/lfs**: Where to store LFS files.
 - `LFS_JWT_SECRET`: **\<empty\>**: LFS authentication secret, change this a unique string.
+- `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail.
 - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, redirects http requests
    on another (https) port.
 - `PORT_TO_REDIRECT`: **80**: Port used when `REDIRECT_OTHER_PORT` is true.
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index b23a68e3a..c8add5fd3 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -136,10 +136,11 @@ var (
 	}
 
 	LFS struct {
-		StartServer     bool   `ini:"LFS_START_SERVER"`
-		ContentPath     string `ini:"LFS_CONTENT_PATH"`
-		JWTSecretBase64 string `ini:"LFS_JWT_SECRET"`
-		JWTSecretBytes  []byte `ini:"-"`
+		StartServer     bool          `ini:"LFS_START_SERVER"`
+		ContentPath     string        `ini:"LFS_CONTENT_PATH"`
+		JWTSecretBase64 string        `ini:"LFS_JWT_SECRET"`
+		JWTSecretBytes  []byte        `ini:"-"`
+		HTTPAuthExpiry  time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"`
 	}
 
 	// Security settings
@@ -828,6 +829,9 @@ func NewContext() {
 		LFS.ContentPath = filepath.Join(AppWorkPath, LFS.ContentPath)
 	}
 
+	sec = Cfg.Section("LFS")
+	LFS.HTTPAuthExpiry = sec.Key("LFS_HTTP_AUTH_EXPIRY").MustDuration(20 * time.Minute)
+
 	if LFS.StartServer {
 
 		if err := os.MkdirAll(LFS.ContentPath, 0700); err != nil {