Skip to content

feat: Auto-lock session after inactivity timeout#44

Merged
patchmemory merged 7 commits intomainfrom
pr/auto-lock-inactivity
Feb 8, 2026
Merged

feat: Auto-lock session after inactivity timeout#44
patchmemory merged 7 commits intomainfrom
pr/auto-lock-inactivity

Conversation

@patchmemory
Copy link
Owner

@patchmemory patchmemory commented Feb 8, 2026

Summary

Implements task:security/auth/auto-lock-inactivity (RICE: 18) - comprehensive session auto-lock functionality with configurable inactivity timeouts.

Features Implemented

Backend

  • Session Lock State: Added locked and locked_at columns to auth_sessions table
  • API Endpoints:
    • POST /api/auth/lock - Lock current session
    • POST /api/auth/unlock - Unlock with password verification
    • GET /api/settings/security/auto-lock - Get auto-lock configuration
    • POST /api/settings/security/auto-lock - Save auto-lock configuration
  • Auth Manager Methods:
    • lock_session(token) - Lock a session
    • unlock_session(token, password) - Unlock with password validation
    • is_session_locked(token) - Check if session is locked
    • get_session_lock_info(token) - Get lock state and metadata
  • Middleware Integration: Returns 423 (Locked) status when session is locked
  • Database Migration: Auto-migrates existing databases to add lock columns
  • Security Features:
    • Failed unlock attempts logged and tracked
    • Audit logging for all lock/unlock events
    • Server-side lock state (cannot be bypassed client-side)

Frontend

  • Activity Monitor: JavaScript class tracking user activity
    • Monitors mouse, keyboard, scroll, and touch events
    • Configurable timeout (1-120 minutes)
    • Checks every 10 seconds for inactivity
  • Lock Screen Overlay:
    • Full-screen overlay with password prompt
    • Displays username and lock time
    • Password-only unlock (no username required)
    • Shows error messages for failed attempts
  • Settings UI: Auto-lock controls in Settings > General > Security
    • Enable/disable toggle
    • Timeout configuration (1-120 minutes)
    • Integrated with existing security settings save flow

Testing

Unit Tests (12 passing)

  • ✅ Session lock/unlock functionality
  • ✅ Password verification
  • ✅ Lock state tracking
  • ✅ Database migration
  • ✅ Audit logging
  • ✅ Settings storage
  • ✅ Edge cases (invalid tokens, wrong passwords, etc.)

All tests passing: pytest tests/test_auto_lock.py -v

Acceptance Criteria

✅ User can enable auto-lock in Settings > General > Security
✅ User can configure inactivity timeout (1-120 minutes)
✅ After configured inactivity period, session is locked
✅ Locked session shows lock screen overlay requiring password
✅ User can unlock with password (no username required)
✅ Activity tracking includes mouse moves, clicks, keyboard input, API calls
✅ Lock screen shows username and time of lock
✅ Failed unlock attempts logged for security
✅ Unit tests verify functionality

Demo Steps

  1. Enable authentication in Settings > General > Security
  2. Login with test user credentials
  3. Enable auto-lock with 1-minute timeout
  4. Save settings
  5. Wait 1 minute without any activity (mouse/keyboard/scroll)
  6. Lock screen overlay appears automatically
  7. Enter password to unlock
  8. Session resumes exactly where it left off
  9. Failed unlock attempts show error messages
  10. Check audit log to see lock/unlock events

Files Changed

  • scidk/core/auth.py - Session lock/unlock methods and database migration
  • scidk/web/routes/api_auth.py - Lock/unlock API endpoints
  • scidk/web/routes/api_settings.py - Auto-lock settings endpoints
  • scidk/web/auth_middleware.py - Session lock checking
  • scidk/ui/templates/base.html - Activity monitor and lock screen UI
  • scidk/ui/templates/settings/_general.html - Auto-lock settings controls
  • tests/test_auto_lock.py - Comprehensive unit tests (12 tests)

Related Tasks

  • Depends on: task:security/auth/basic-authentication ✅ (completed)
  • Part of security enhancement story

🤖 Generated with Claude Code

patchmemory and others added 7 commits February 8, 2026 14:40
@patchmemory
chore(dev): update submodule to point to completed config-export-impo…
4d796cd 
…rt task
@patchmemory @claude
feat(ui): modularize settings into separate template partials
5e3e635 
Refactored the large index.html file (2848 lines) by extracting 7 settings
sections into self-contained partial templates:

**New partial templates in settings/ directory:**
- _general.html (989 lines): System info, config export/import, security,
  user management, audit log with 4 JS init functions
- _neo4j.html (177 lines): Neo4j connection settings with connection
  management JS
- _chat.html (265 lines): LLM provider configuration with initChatSettings
- _interpreters.html (118 lines): Interpreter mappings and toggles with
  dynamic table
- _plugins.html (8 lines): Plugin registry summary
- _rclone.html (146 lines): Rclone interpretation and mount management with JS
- _integrations.html (1015 lines): API endpoints, table formats, fuzzy
  matching with 3 JS init functions

**Main index.html changes:**
- Reduced from 2848 to 141 lines (95% reduction)
- Now uses {% include %} directives to compose sections
- Keeps only shared CSS and tab navigation JavaScript
- All section-specific JS moved into respective partials

**Cleanup:**
- Deleted obsolete settings.html file (2067 lines)
- /settings route already redirects to / (landing page)

**Tests:**
- All pytest tests pass (25/25)
- Added TODO placeholders in E2E tests for future updates

**Benefits:**
- Easier to find and edit specific settings sections
- Reduced merge conflicts
- Each partial is self-contained with HTML + JS
- Maintained identical functionality and appearance

Related: task:ui/settings/modularization

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@patchmemory
Merge branch 'task/task-ui/settings/modularization'
12af8aa
@patchmemory
chore(dev): update submodule pointer for completed settings-modulariz…
8d0bdb1 
…ation task
@patchmemory @claude
feat(security): implement auto-lock after inactivity timeout
f0eeb5b 
Adds comprehensive session locking functionality with:
- Server-side session lock/unlock API endpoints
- Client-side activity monitoring with configurable timeouts
- Lock screen overlay with password verification
- Auto-lock settings in Security section (1-120 minutes)
- Session lock state tracking in auth_sessions table
- Audit logging for lock/unlock events
- Failed unlock attempt tracking
- Middleware integration (returns 423 when locked)

Backend changes:
- Add locked/locked_at columns to auth_sessions table
- Add lock_session(), unlock_session(), is_session_locked() methods
- Add get_session_lock_info() for retrieving lock state
- Add migration for existing databases
- Add /api/auth/lock and /api/auth/unlock endpoints
- Add /api/settings/security/auto-lock GET/POST endpoints
- Update auth middleware to check session lock state

Frontend changes:
- Add ActivityMonitor JavaScript class in base.html
- Track mouse, keyboard, scroll, touch activity
- Auto-lock session after configured inactivity period
- Show lock screen overlay with username and lock time
- Password-only unlock (no username required)
- Auto-load lock screen if session already locked
- Add auto-lock enable/disable toggle in Settings
- Add timeout configuration (1-120 minutes)

Testing:
- 12 unit tests covering lock/unlock functionality
- Test session locking and unlocking
- Test password verification
- Test audit logging
- Test settings storage
- All tests passing

Acceptance criteria met:
✅ User can enable auto-lock in Settings > General > Security
✅ User can configure inactivity timeout (1-120 minutes)
✅ After configured inactivity, session is locked
✅ Locked session shows lock screen with password prompt
✅ User can unlock with password (no username required)
✅ Activity tracking includes mouse/keyboard/scroll/touch
✅ Lock screen shows username and time of lock
✅ Failed unlock attempts logged for security
✅ Unit tests verify functionality

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@patchmemory
chore(dev): update submodule pointer for completed auto-lock task
f90da90
@patchmemory
Merge branch 'main' into pr/auto-lock-inactivity
5487a2a 
Resolved conflicts in:
- scidk/ui/templates/settings/_general.html (kept auto-lock features)
- dev submodule (updated to latest)
@patchmemory patchmemory merged commit 8c1e226 into main Feb 8, 2026
1 check passed
@patchmemory patchmemory deleted the pr/auto-lock-inactivity branch February 8, 2026 20:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@patchmemory