feat(security): add session timeout + transaction wrapping (B1)

Session timeout: configurable idle (default 30min) and absolute (default 8h)
timeouts via DB settings, enforced in web/index.php on every request.
Timestamps set at login in action layer; graceful fallback for pre-existing
sessions.

Transaction wrapping: UserAccountService.createFromAdmin/register, roles
create/edit, and permissions edit now wrap multi-step DB operations in
transactions to guarantee atomicity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-09 19:16:26 +01:00
parent 8d6cfa2fbc
commit 11ca546eae
17 changed files with 415 additions and 103 deletions

View File

@@ -20,6 +20,7 @@ class SettingServicesFactory
private ?SettingsSystemAuditGateway $settingsSystemAuditGateway = null;
private ?SettingsFrontendTelemetryGateway $settingsFrontendTelemetryGateway = null;
private ?SettingsMicrosoftGateway $settingsMicrosoftGateway = null;
private ?SettingsSessionGateway $settingsSessionGateway = null;
private ?SettingsSmtpGateway $settingsSmtpGateway = null;
public function __construct(
@@ -83,6 +84,11 @@ class SettingServicesFactory
);
}
public function createSettingsSessionGateway(): SettingsSessionGateway
{
return $this->settingsSessionGateway ??= new SettingsSessionGateway($this->createSettingsMetadataGateway());
}
public function createSettingsSmtpGateway(): SettingsSmtpGateway
{
return $this->settingsSmtpGateway ??= new SettingsSmtpGateway($this->createSettingsMetadataGateway());