2 files changed, 16 insertions, 1 deletions

diff --git a/controllers/auth.php b/controllers/auth.php
index 9dcc81d..50dbc02 100644
--- a/controllers/auth.php
+++ b/controllers/auth.php
@@ -175,6 +175,10 @@ $app->get('/auth/callback', function() use($app) {
     $user->token_endpoint = $tokenEndpoint;
     $user->micropub_endpoint = $micropubEndpoint;
     $user->micropub_access_token = $token['response']['access_token'];
+    if(is_numeric($token['response']['expires_in'])) {
+      $expiration = time() + $token['response']['expires_in'];
+      $user->micropub_token_expiration = date('Y-m-d H:i:s', $expiration);
+    }
     $user->micropub_scope = $token['response']['scope'];
     $user->micropub_response = $token['raw_response'];
     $user->save();
@@ -236,6 +240,7 @@ $app->post('/auth/reset', function() use($app) {
     $user->micropub_media_endpoint = '';
     $user->micropub_scope = '';
     $user->micropub_access_token = '';
+    $user->micropub_token_expiration = '';
     $user->syndication_targets = '';
     $user->supported_post_types = '';
     $user->save();
diff --git a/controllers/controllers.php b/controllers/controllers.php
index 153c9e2..de497c9 100644
--- a/controllers/controllers.php
+++ b/controllers/controllers.php
@@ -30,7 +30,17 @@ function require_login(&$app, $redirect=true) {
       $app->redirect('/', 302);
     return false;
   } else {
-    return ORM::for_table('users')->find_one($_SESSION['user_id']);
+    $user = ORM::for_table('users')->find_one($_SESSION['user_id']);
+    if(isset($user->micropub_token_expiration)) {
+      $now = new DateTime();
+      $expiration = new DateTime($user->micropub_token_expiration);
+      if($now > $expiration) {
+        header('X-Error: TokenExpired');
+        $app->redirect('/auth/start?'.http_build_query(array('me' => $user->url)), 302);
+        return false;
+      }
+    }
+    return $user;
   }
 }