From 313dc31535b3d08448650b9c1641bb66fb868002 Mon Sep 17 00:00:00 2001
From: Tom Blauwendraat <tom@sunflowerweb.nl>
Date: Sun, 2 Jul 2023 17:25:27 +0200
Subject: [PATCH] [FIX] auth_session_timeout: problem whereby page is refreshed
 with F5, but /web is a public route, so it does not trigger the session check
 but it does trigger session save, so the file mtime is updated before the
 second HTTP call makes the check takes place, and session is not expired

---
 auth_session_timeout/models/ir_http.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/auth_session_timeout/models/ir_http.py b/auth_session_timeout/models/ir_http.py
index 8b11bc7ec2..c3ec9ab676 100644
--- a/auth_session_timeout/models/ir_http.py
+++ b/auth_session_timeout/models/ir_http.py
@@ -10,7 +10,11 @@ class IrHttp(models.AbstractModel):
     @classmethod
     def _authenticate(cls, endpoint):
         res = super(IrHttp, cls)._authenticate(endpoint=endpoint)
-        auth_method = endpoint.routing["auth"]
-        if auth_method == "user" and request and request.env and request.env.user:
+        if (
+            request
+            and request.session
+            and request.session.uid
+            and not request.env["res.users"].browse(request.session.uid)._is_public()
+        ):
             request.env.user._auth_timeout_check()
         return res