Login workflow broken with cross-domain cookies #20
Description
As a result of moving to parent-domain cookies in #19, Flask-Lastuser now recognises a new user, but does not run the app's usual post-login process. This means if the app has custom code to sync userdata with Lastuser, this code is never called, unless the user explicitly logs in while within the app.
Since we've also moved to permanent cookies as of eb4f7dc in Apr 2014, sync-at-login has been broken for some time.
Flask-Lastuser should instead add an additional flag to the session cookie (not Lastuser cookie) with the login time, tagged lastuser_session_since (or shorter). This value is updated under three conditions:
- The user has just explicitly logged in (set current timestamp)
- The user has just explicitly logged out (remove key)
- In
before_request, if the timestamp was > 30 minutes ago. In this case, we also explicitly call the app's auth handler view and let it perform the usual sync. This ensures sync happens at least once every half hour.
Caveat: Sync can be expensive. Since it will also run for every user who returns after a while, it will affect first page load time. Perhaps the flag should be on the User model instead (perhaps using updated_at), so that if the User record appears to have been updated recently (because of a background push notification), no new update is necessary. (OTOH, if there has been no change recently, updated_at will be outdated anyway, so there will be the exact same sync delay with both approaches.)