Use date-insensitive cookie expiration

On an out-of-time host (any raspberry offline and without working,
battery-backed RTC), the cookie expiration would likely be set to
a date in the past.
Connecting via a strict, time-synced device (iOS) would thus not
send (or even remove) the cookie set at credentials-sending\
resulting in a redirect to the login page.

We are now setting the expiration as a seconds offset from now,
that the client itself will interpret.

https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2

Fixes #8

Author: rgaudin

CHANGELOG.md

@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Password visibility toggle on login page (dashboard#46)
 
+## Fixed
+
+- Unable to login in on out-of-time systems (#8)
+
 ## [1.3.2] - 2025-12-11
 
 ### Fixed

src/adminui/auth/session.py

@@ -12,6 +12,11 @@ class Session(BaseModel):
     id: UUID
     expire_on: datetime.datetime
 
+    @property
+    def expire_in(self) -> int:
+        """ nb of seconds from now until expiration"""
+        return int((self.expire_on - get_now()).total_seconds())
+
     @property
     def is_valid(self) -> bool:
         return self.expire_on > get_now()

src/adminui/auth/views.py

@@ -65,7 +65,7 @@ def login_auth(
         response.set_cookie(
             key=SESSION_COOKIE_NAME,
             value=str(session.id),
-            expires=session.expire_on,
+            max_age=session.expire_in,
             httponly=True,
         )
         return response