etiquette/frontends/etiquette_flask/backend/sessions.py

import flask; from flask import request
import functools
import werkzeug.datastructures

from voussoirkit import cacheclass
from voussoirkit import flasktools
from voussoirkit import passwordy
from voussoirkit import timetools

import etiquette

SESSION_MAX_AGE = 86400

def _generate_token(length=32):
    return passwordy.random_hex(length=length)

def _normalize_token(token):
    if isinstance(token, flasktools.REQUEST_TYPES):
        request = token
        token = request.cookies.get('etiquette_session', None)
        if token is None:
            # During normal usage, this does not occur because give_token is
            # applied *before* the request handler even sees the request.
            # Just a precaution.
            message = 'Cannot normalize token for request with no etiquette_session header.'
            raise TypeError(message, request)
    elif isinstance(token, str):
        pass
    else:
        raise TypeError('Unsupported token normalization', type(token))
    return token

class SessionManager:
    def __init__(self, maxlen=None):
        self.sessions = cacheclass.Cache(maxlen=maxlen)

    def add(self, session):
        self.sessions[session.token] = session

    def clear(self):
        self.sessions.clear()

    def get(self, request):
        token = _normalize_token(request)
        session = self.sessions[token]
        invalid = (
            request.remote_addr != session.ip_address or
            session.expired()
        )
        if invalid:
            self.remove(token)
            raise KeyError(token)
        return session

    def give_token(self, function):
        '''
        This decorator ensures that the user has an `etiquette_session` cookie
        before reaching the request handler.
        If the user does not have the cookie, they are given one.
        If they do, its lifespan is reset.
        '''
        @functools.wraps(function)
        def wrapped(*args, **kwargs):
            # Inject new token so the function doesn't know the difference
            token = request.cookies.get('etiquette_session', None)
            if not token or token not in self.sessions:
                token = _generate_token()
                # cookies is currently an ImmutableMultiDict, but in order to
                # trick the wrapped function I'm gonna have to mutate it.
                # It is important to use a werkzeug MultiDict and not a plain
                # Python dict, because werkzeug puts cookies into lists like
                # {name: [value]} and then cookies.get pulls the first item out
                # of that list. A plain dict wouldn't have this .get behavior.
                request.cookies = werkzeug.datastructures.MultiDict(request.cookies)
                request.cookies['etiquette_session'] = token

            try:
                session = self.get(request)
            except KeyError:
                session = Session(request, user=None)
                self.add(session)
            else:
                session.maintain()

            response = function(*args, **kwargs)

            # Send the token back to the client
            # but only if the endpoint didn't manually set the cookie.
            function_cookies = response.headers.get_all('Set-Cookie')
            if not any('etiquette_session=' in cookie for cookie in function_cookies):
                response.set_cookie(
                    'etiquette_session',
                    value=session.token,
                    max_age=SESSION_MAX_AGE,
                    httponly=True,
                )

            return response
        return wrapped

    def remove(self, token):
        token = _normalize_token(token)
        try:
            self.sessions.remove(token)
        except KeyError:
            pass

class Session:
    def __init__(self, request, user):
        self.token = _normalize_token(request)
        self.user = user
        self.ip_address = request.remote_addr
        self.user_agent = request.headers.get('User-Agent', '')
        self.last_activity = timetools.now()

    def __repr__(self):
        if self.user:
            return f'Session {self.token} for user {self.user}'
        else:
            return f'Session {self.token} for anonymous'

    def expired(self):
        now = timetools.now()
        age = now - self.last_activity
        return age.seconds > SESSION_MAX_AGE

    def maintain(self):
        self.last_activity = timetools.now()
Use urandom instead of uuid for session id. 2018-01-13 23:49:14 +00:00			`import flask; from flask import request`
very early session and registration support 2016-12-18 13:12:14 +00:00			`import functools`
Convert cookies to werkzeug MultiDict instead of plain dict. I discovered that werkzeug stores cookies in lists, with its .get returning only the first item of the list. By converting the cookies to a plain dict, I was breaking that functionality of cookies.get. So, using werkzeug's MultiDict is the correct choice. 2020-09-10 01:53:26 +00:00			`import werkzeug.datastructures`
very early session and registration support 2016-12-18 13:12:14 +00:00
Let the SessionManager use a cacheclass instead of plain dict. 2018-03-19 04:23:48 +00:00			`from voussoirkit import cacheclass`
Move REQUEST_TYPES, RESPONSE_TYPES to voussoirkit.flasktools. 2021-06-05 04:00:22 +00:00			`from voussoirkit import flasktools`
Move random_hex function to voussoirkit/passwordy. 2021-01-05 20:38:04 +00:00			`from voussoirkit import passwordy`
Use voussoirkit timetools. 2022-11-07 06:48:59 +00:00			`from voussoirkit import timetools`
Let the SessionManager use a cacheclass instead of plain dict. 2018-03-19 04:23:48 +00:00
Rearrange imports so voussoirkit is right after lib imports. Added a styleguide.md file to refer back to. Since voussoirkit is a library it feels better to have it below the rest of the library and above the local project imports. 2018-11-05 03:27:20 +00:00			`import etiquette`

Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`SESSION_MAX_AGE = 86400`

Use urandom instead of uuid for session id. 2018-01-13 23:49:14 +00:00			`def _generate_token(length=32):`
Move random_hex function to voussoirkit/passwordy. 2021-01-05 20:38:04 +00:00			`return passwordy.random_hex(length=length)`
very early session and registration support 2016-12-18 13:12:14 +00:00
			`def _normalize_token(token):`
Move REQUEST_TYPES, RESPONSE_TYPES to voussoirkit.flasktools. 2021-06-05 04:00:22 +00:00			`if isinstance(token, flasktools.REQUEST_TYPES):`
Tighten the types for _normalize_token; include werkzeug wrappers. 2018-01-16 02:39:40 +00:00			`request = token`
			`token = request.cookies.get('etiquette_session', None)`
			`if token is None:`
Let SessionManager.get require Request object; Check IP addr. So far there is no use case in which get needs to be called with something other than a Request, and I don't think there will be. So let's make that part of the design and we can also take the opportunity to check IP. 2018-02-03 10:10:07 +00:00			`# During normal usage, this does not occur because give_token is`
			`# applied before the request handler even sees the request.`
			`# Just a precaution.`
Tighten the types for _normalize_token; include werkzeug wrappers. 2018-01-16 02:39:40 +00:00			`message = 'Cannot normalize token for request with no etiquette_session header.'`
			`raise TypeError(message, request)`
			`elif isinstance(token, str):`
			`pass`
			`else:`
			`raise TypeError('Unsupported token normalization', type(token))`
Oops, fix missing return statement. That would cause problems. 2018-01-14 00:14:01 +00:00			`return token`
Improve separation between front & back with etiquette_flask package Move flask-specific operations out of etiquette's files and into new etiquette_flask. In etiquette_site.py, etiquette calls are fully qualified. 2017-05-02 04:23:16 +00:00
very early session and registration support 2016-12-18 13:12:14 +00:00			`class SessionManager:`
Let the SessionManager use a cacheclass instead of plain dict. 2018-03-19 04:23:48 +00:00			`def __init__(self, maxlen=None):`
			`self.sessions = cacheclass.Cache(maxlen=maxlen)`
very early session and registration support 2016-12-18 13:12:14 +00:00
			`def add(self, session):`
			`self.sessions[session.token] = session`

Add admin button to clear all login sessions. 2022-11-08 01:51:02 +00:00			`def clear(self):`
			`self.sessions.clear()`

Let SessionManager.get require Request object; Check IP addr. So far there is no use case in which get needs to be called with something other than a Request, and I don't think there will be. So let's make that part of the design and we can also take the opportunity to check IP. 2018-02-03 10:10:07 +00:00			`def get(self, request):`
			`token = _normalize_token(request)`
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`session = self.sessions[token]`
Let SessionManager.get require Request object; Check IP addr. So far there is no use case in which get needs to be called with something other than a Request, and I don't think there will be. So let's make that part of the design and we can also take the opportunity to check IP. 2018-02-03 10:10:07 +00:00			`invalid = (`
			`request.remote_addr != session.ip_address or`
			`session.expired()`
			`)`
			`if invalid:`
			`self.remove(token)`
Perform serverside expiration of sessions on get attempt. Also remove unnecessary conversion to int. 2018-01-20 05:59:50 +00:00			`raise KeyError(token)`
Use urandom instead of uuid for session id. 2018-01-13 23:49:14 +00:00			`return session`
very early session and registration support 2016-12-18 13:12:14 +00:00
			`def give_token(self, function):`
			`'''`
			This decorator ensures that the user has an `etiquette_session` cookie
			`before reaching the request handler.`
			`If the user does not have the cookie, they are given one.`
			`If they do, its lifespan is reset.`
			`'''`
			`@functools.wraps(function)`
			`def wrapped(args, *kwargs):`
			`# Inject new token so the function doesn't know the difference`
			`token = request.cookies.get('etiquette_session', None)`
If the user has a token we don't recognize, give them a new one. 2018-01-16 04:04:47 +00:00			`if not token or token not in self.sessions:`
very early session and registration support 2016-12-18 13:12:14 +00:00			`token = _generate_token()`
Convert cookies to werkzeug MultiDict instead of plain dict. I discovered that werkzeug stores cookies in lists, with its .get returning only the first item of the list. By converting the cookies to a plain dict, I was breaking that functionality of cookies.get. So, using werkzeug's MultiDict is the correct choice. 2020-09-10 01:53:26 +00:00			`# cookies is currently an ImmutableMultiDict, but in order to`
			`# trick the wrapped function I'm gonna have to mutate it.`
			`# It is important to use a werkzeug MultiDict and not a plain`
			`# Python dict, because werkzeug puts cookies into lists like`
			`# {name: [value]} and then cookies.get pulls the first item out`
			`# of that list. A plain dict wouldn't have this .get behavior.`
			`request.cookies = werkzeug.datastructures.MultiDict(request.cookies)`
very early session and registration support 2016-12-18 13:12:14 +00:00			`request.cookies['etiquette_session'] = token`

Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`try:`
Let SessionManager.get require Request object; Check IP addr. So far there is no use case in which get needs to be called with something other than a Request, and I don't think there will be. So let's make that part of the design and we can also take the opportunity to check IP. 2018-02-03 10:10:07 +00:00			`session = self.get(request)`
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`except KeyError:`
			`session = Session(request, user=None)`
			`self.add(session)`
			`else:`
			`session.maintain()`

very early session and registration support 2016-12-18 13:12:14 +00:00			`response = function(args, *kwargs)`

			`# Send the token back to the client`
			`# but only if the endpoint didn't manually set the cookie.`
Improve technique for finding cookie set by function. Instead of iterating through all the outgoing headers. 2018-01-16 02:56:41 +00:00			`function_cookies = response.headers.get_all('Set-Cookie')`
			`if not any('etiquette_session=' in cookie for cookie in function_cookies):`
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`response.set_cookie(`
			`'etiquette_session',`
			`value=session.token,`
			`max_age=SESSION_MAX_AGE,`
Add httponly to session cookie. 2020-09-10 02:19:35 +00:00			`httponly=True,`
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`)`
very early session and registration support 2016-12-18 13:12:14 +00:00
			`return response`
			`return wrapped`

			`def remove(self, token):`
			`token = _normalize_token(token)`
Let SessionManager.get require Request object; Check IP addr. So far there is no use case in which get needs to be called with something other than a Request, and I don't think there will be. So let's make that part of the design and we can also take the opportunity to check IP. 2018-02-03 10:10:07 +00:00			`try:`
Oops, should be .remove instead of .pop for the cacheclass. 2018-03-23 07:33:50 +00:00			`self.sessions.remove(token)`
Let SessionManager.get require Request object; Check IP addr. So far there is no use case in which get needs to be called with something other than a Request, and I don't think there will be. So let's make that part of the design and we can also take the opportunity to check IP. 2018-02-03 10:10:07 +00:00			`except KeyError:`
			`pass`

very early session and registration support 2016-12-18 13:12:14 +00:00			`class Session:`
			`def __init__(self, request, user):`
			`self.token = _normalize_token(request)`
			`self.user = user`
			`self.ip_address = request.remote_addr`
			`self.user_agent = request.headers.get('User-Agent', '')`
Use voussoirkit timetools. 2022-11-07 06:48:59 +00:00			`self.last_activity = timetools.now()`
very early session and registration support 2016-12-18 13:12:14 +00:00
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`def __repr__(self):`
			`if self.user:`
Switch to f-string formatting in many places. 2018-07-19 01:36:36 +00:00			`return f'Session {self.token} for user {self.user}'`
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00			`else:`
Switch to f-string formatting in many places. 2018-07-19 01:36:36 +00:00			`return f'Session {self.token} for anonymous'`
Create sessions for anons as well, instead of just logged in. It makes sense that anon sessions are still sessions. So @give_token will ensure that every request has a session. Logged in conditionals move from 'if session' to 'if session.user'. 2018-01-16 02:41:21 +00:00
Perform serverside expiration of sessions on get attempt. Also remove unnecessary conversion to int. 2018-01-20 05:59:50 +00:00			`def expired(self):`
Use voussoirkit timetools. 2022-11-07 06:48:59 +00:00			`now = timetools.now()`
Perform serverside expiration of sessions on get attempt. Also remove unnecessary conversion to int. 2018-01-20 05:59:50 +00:00			`age = now - self.last_activity`
Use datetime objects instead of timestamps in object model. Trying to make better use of objects in this object oriented language. 2022-07-20 03:03:43 +00:00			`return age.seconds > SESSION_MAX_AGE`
Perform serverside expiration of sessions on get attempt. Also remove unnecessary conversion to int. 2018-01-20 05:59:50 +00:00
very early session and registration support 2016-12-18 13:12:14 +00:00			`def maintain(self):`
Use voussoirkit timetools. 2022-11-07 06:48:59 +00:00			`self.last_activity = timetools.now()`