From d08d136990955be2a680d87fe1197d4c98782826 Mon Sep 17 00:00:00 2001
From: Belle Aerni <belleaerni@gmail.com>
Date: Sun, 12 Feb 2023 19:41:52 -0800
Subject: [PATCH] Implement a basic session expiration

It's rudimentary, but this should ensure that people will need to re-authenticate after closing their browser session
---
 src/AntCMS/AntAuth.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/AntCMS/AntAuth.php b/src/AntCMS/AntAuth.php
index 08e22ca..43060c0 100644
--- a/src/AntCMS/AntAuth.php
+++ b/src/AntCMS/AntAuth.php
@@ -33,6 +33,11 @@ class AntAuth
             $currentConfig = AntConfig::currentConfig();
         }
 
+        // If the credentials are still set valid, but the auth cookie has expired, re-require authentication.
+        if (!isset($_COOKIE['auth'])) {
+            AntAuth::requireAuth();
+        }
+
         if ($currentConfig['admin']['username'] == $username && password_verify($password, $currentConfig['admin']['password'])) {
             return;
         }
@@ -47,6 +52,8 @@ class AntAuth
      */
     private static function requireAuth()
     {
+        setcookie("auth", "true");
+
         $title = AntConfig::currentConfig('siteInfo.siteTitle');
         header('WWW-Authenticate: Basic realm="' . $title . '"');
         http_response_code(401);