etiquette/frontends/etiquette_flask/etiquette_flask/sessions.py

import flask; from flask import request
import functools
import math
import os
import werkzeug.wrappers

import etiquette

SESSION_MAX_AGE = 86400

def _generate_token(length=32):
    randbytes = os.urandom(math.ceil(length / 2))
    token = ''.join('{:02x}'.format(x) for x in randbytes)
    token = token[:length]
    return token

def _normalize_token(token):
    if isinstance(token, (flask.Request, werkzeug.wrappers.Request, werkzeug.local.LocalProxy)):
        request = token
        token = request.cookies.get('etiquette_session', None)
        if token is None:
            message = 'Cannot normalize token for request with no etiquette_session header.'
            raise TypeError(message, request)
    elif isinstance(token, str):
        pass
    else:
        raise TypeError('Unsupported token normalization', type(token))
    return token


class SessionManager:
    def __init__(self):
        self.sessions = {}

    def add(self, session):
        self.sessions[session.token] = session

    def get(self, token):
        token = _normalize_token(token)
        session = self.sessions[token]
        if session.expired():
            raise KeyError(token)
        return session

    def give_token(self, function):
        '''
        This decorator ensures that the user has an `etiquette_session` cookie
        before reaching the request handler.
        If the user does not have the cookie, they are given one.
        If they do, its lifespan is reset.
        '''
        @functools.wraps(function)
        def wrapped(*args, **kwargs):
            # Inject new token so the function doesn't know the difference
            token = request.cookies.get('etiquette_session', None)
            if not token or token not in self.sessions:
                token = _generate_token()
                request.cookies = dict(request.cookies)
                request.cookies['etiquette_session'] = token

            try:
                session = self.get(token)
            except KeyError:
                session = Session(request, user=None)
                self.add(session)
            else:
                session.maintain()

            response = function(*args, **kwargs)
            if not isinstance(response, (flask.Response, werkzeug.wrappers.Response)):
                response = flask.Response(response)

            # Send the token back to the client
            # but only if the endpoint didn't manually set the cookie.
            function_cookies = response.headers.get_all('Set-Cookie')
            if not any('etiquette_session=' in cookie for cookie in function_cookies):
                response.set_cookie(
                    'etiquette_session',
                    value=session.token,
                    max_age=SESSION_MAX_AGE,
                )

            return response
        return wrapped

    def remove(self, token):
        token = _normalize_token(token)
        if token in self.sessions:
            self.sessions.pop(token)

class Session:
    def __init__(self, request, user):
        self.token = _normalize_token(request)
        self.user = user
        self.ip_address = request.remote_addr
        self.user_agent = request.headers.get('User-Agent', '')
        self.last_activity = etiquette.helpers.now()

    def __repr__(self):
        if self.user:
            return 'Session %s for user %s' % (self.token, self.user)
        else:
            return 'Session %s for anonymous' % self.token

    def expired(self):
        now = etiquette.helpers.now()
        age = now - self.last_activity
        return age > SESSION_MAX_AGE

    def maintain(self):
        self.last_activity = etiquette.helpers.now()
Use urandom instead of uuid for session id. 2018-01-13 23:49:14 +00:00			`import flask; from flask import request`
very early session and registration support 2016-12-18 13:12:14 +00:00			`import functools`
Use urandom instead of uuid for session id. 2018-01-13 23:49:14 +00:00			`import math`
			`import os`
Include werkzeug Response type in typecheck. 2017-09-18 21:10:25 +00:00			`import werkzeug.wrappers`
very early session and registration support 2016-12-18 13:12:14 +00:00
Don't use `from etiquette import`. 2018-01-14 00:12:52 +00:00			`import etiquette`
Move modules into an actual package 2017-02-05 03:55:13 +00:00
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`SESSION_MAX_AGE = 86400`

Use urandom instead of uuid for session id. 2018-01-13 23:49:14 +00:00			`def _generate_token(length=32):`
			`randbytes = os.urandom(math.ceil(length / 2))`
			`token = ''.join('{:02x}'.format(x) for x in randbytes)`
			`token = token[:length]`
very early session and registration support 2016-12-18 13:12:14 +00:00			`return token`

			`def _normalize_token(token):`
Tighten the types for _normalize_token; include werkzeug wrappers. 2018-01-16 02:39:40 +00:00			`if isinstance(token, (flask.Request, werkzeug.wrappers.Request, werkzeug.local.LocalProxy)):`
			`request = token`
			`token = request.cookies.get('etiquette_session', None)`
			`if token is None:`
			`message = 'Cannot normalize token for request with no etiquette_session header.'`
			`raise TypeError(message, request)`
			`elif isinstance(token, str):`
			`pass`
			`else:`
			`raise TypeError('Unsupported token normalization', type(token))`
Oops, fix missing return statement. That would cause problems. 2018-01-14 00:14:01 +00:00			`return token`
Improve separation between front & back with etiquette_flask package Move flask-specific operations out of etiquette's files and into new etiquette_flask. In etiquette_site.py, etiquette calls are fully qualified. 2017-05-02 04:23:16 +00:00

very early session and registration support 2016-12-18 13:12:14 +00:00			`class SessionManager:`
			`def __init__(self):`
			`self.sessions = {}`

			`def add(self, session):`
			`self.sessions[session.token] = session`

			`def get(self, token):`
			`token = _normalize_token(token)`
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`session = self.sessions[token]`
Perform serverside expiration of sessions on get attempt. Also remove unnecessary conversion to int. 2018-01-20 05:59:50 +00:00			`if session.expired():`
			`raise KeyError(token)`
Use urandom instead of uuid for session id. 2018-01-13 23:49:14 +00:00			`return session`
very early session and registration support 2016-12-18 13:12:14 +00:00
			`def give_token(self, function):`
			`'''`
			This decorator ensures that the user has an `etiquette_session` cookie
			`before reaching the request handler.`
			`If the user does not have the cookie, they are given one.`
			`If they do, its lifespan is reset.`
			`'''`
			`@functools.wraps(function)`
			`def wrapped(args, *kwargs):`
			`# Inject new token so the function doesn't know the difference`
			`token = request.cookies.get('etiquette_session', None)`
If the user has a token we don't recognize, give them a new one. 2018-01-16 04:04:47 +00:00			`if not token or token not in self.sessions:`
very early session and registration support 2016-12-18 13:12:14 +00:00			`token = _generate_token()`
			`request.cookies = dict(request.cookies)`
			`request.cookies['etiquette_session'] = token`

Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`try:`
			`session = self.get(token)`
			`except KeyError:`
			`session = Session(request, user=None)`
			`self.add(session)`
			`else:`
			`session.maintain()`

very early session and registration support 2016-12-18 13:12:14 +00:00			`response = function(args, *kwargs)`
Include werkzeug Response type in typecheck. 2017-09-18 21:10:25 +00:00			`if not isinstance(response, (flask.Response, werkzeug.wrappers.Response)):`
very early session and registration support 2016-12-18 13:12:14 +00:00			`response = flask.Response(response)`

			`# Send the token back to the client`
			`# but only if the endpoint didn't manually set the cookie.`
Improve technique for finding cookie set by function. Instead of iterating through all the outgoing headers. 2018-01-16 02:56:41 +00:00			`function_cookies = response.headers.get_all('Set-Cookie')`
			`if not any('etiquette_session=' in cookie for cookie in function_cookies):`
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`response.set_cookie(`
			`'etiquette_session',`
			`value=session.token,`
			`max_age=SESSION_MAX_AGE,`
			`)`
very early session and registration support 2016-12-18 13:12:14 +00:00
			`return response`
			`return wrapped`

			`def remove(self, token):`
			`token = _normalize_token(token)`
			`if token in self.sessions:`
			`self.sessions.pop(token)`

			`class Session:`
			`def __init__(self, request, user):`
			`self.token = _normalize_token(request)`
			`self.user = user`
			`self.ip_address = request.remote_addr`
			`self.user_agent = request.headers.get('User-Agent', '')`
Perform serverside expiration of sessions on get attempt. Also remove unnecessary conversion to int. 2018-01-20 05:59:50 +00:00			`self.last_activity = etiquette.helpers.now()`
very early session and registration support 2016-12-18 13:12:14 +00:00
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`def __repr__(self):`
			`if self.user:`
			`return 'Session %s for user %s' % (self.token, self.user)`
			`else:`
			`return 'Session %s for anonymous' % self.token`

Perform serverside expiration of sessions on get attempt. Also remove unnecessary conversion to int. 2018-01-20 05:59:50 +00:00			`def expired(self):`
			`now = etiquette.helpers.now()`
			`age = now - self.last_activity`
			`return age > SESSION_MAX_AGE`

very early session and registration support 2016-12-18 13:12:14 +00:00			`def maintain(self):`
Perform serverside expiration of sessions on get attempt. Also remove unnecessary conversion to int. 2018-01-20 05:59:50 +00:00			`self.last_activity = etiquette.helpers.now()`