From 409117f7a1827f16c5b4321acc4267d30e1d263d Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@cccv.de>
Date: Sun, 19 Sep 2021 23:42:13 +0200
Subject: [PATCH] Bind session to client id

Fixes #5
---
 app.py      |  5 ++++-
 test_app.py | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/app.py b/app.py
index 4354df4..f0a3c0e 100644
--- a/app.py
+++ b/app.py
@@ -22,6 +22,7 @@ def create_app(test_config=None):
 	def auth():
 		try:
 			timestamp = datetime.datetime.fromtimestamp(session['timestamp'])
+			client_id = session['client_id']
 			user_id = session['user_id']
 			user_name = session['user_name']
 			user_nickname = session['user_nickname']
@@ -32,7 +33,8 @@ def create_app(test_config=None):
 			session.clear()
 			session['cookies_enabled'] = True
 			abort(401)
-		if datetime.datetime.now() - timestamp > datetime.timedelta(days=2):
+		if datetime.datetime.now() - timestamp > datetime.timedelta(days=2) or \
+					client_id != request.headers['X-CLIENT-ID']:
 			session.clear()
 			session['cookies_enabled'] = True
 			abort(401)
@@ -85,6 +87,7 @@ def create_app(test_config=None):
 
 		session.clear()
 		session['timestamp'] = datetime.datetime.now().timestamp()
+		session['client_id'] = request.headers['X-CLIENT-ID']
 		session['user_id'] = userinfo['id']
 		session['user_name'] = userinfo['name']
 		session['user_nickname'] = userinfo['nickname']
diff --git a/test_app.py b/test_app.py
index ac4db1c..08561f0 100644
--- a/test_app.py
+++ b/test_app.py
@@ -114,6 +114,7 @@ class TestCases(unittest.TestCase):
 		self.assertEqual(r.location, 'https://127.0.0.123:7654/app')
 		with self.client.session_transaction() as session:
 			self.assertGreaterEqual(session['timestamp'], (datetime.datetime.now() - datetime.timedelta(seconds=60)).timestamp())
+			self.assertEqual(session['client_id'], 'test_client_id')
 			self.assertEqual(session['user_id'], 1234)
 			self.assertEqual(session['user_name'], 'Test User')
 			self.assertEqual(session['user_nickname'], 'testuser')
@@ -136,6 +137,7 @@ class TestCases(unittest.TestCase):
 	def test_auth_session(self):
 		with self.client.session_transaction() as session:
 			session['timestamp'] = datetime.datetime.now().timestamp()
+			session['client_id'] = 'test_client_id'
 			session['user_id'] = 1234
 			session['user_name'] = 'Test User'
 			session['user_nickname'] = 'testuser'
@@ -154,6 +156,20 @@ class TestCases(unittest.TestCase):
 	def test_auth_session_timeout(self):
 		with self.client.session_transaction() as session:
 			session['timestamp'] = (datetime.datetime.now() - datetime.timedelta(days=3)).timestamp()
+			session['client_id'] = 'test_client_id'
+			session['user_id'] = 1234
+			session['user_name'] = 'Test User'
+			session['user_nickname'] = 'testuser'
+			session['user_email'] = 'test@example.com'
+			session['user_ldap_dn'] = 'uid=testuser,ou=users,dc=example,dc=com'
+			session['user_groups'] = ['uffd_access', 'users']
+		r = self.client.get(path='/auth', headers=headers)
+		self.assertEqual(r.status_code, 401)
+
+	def test_auth_session_wrong_client(self):
+		with self.client.session_transaction() as session:
+			session['timestamp'] = (datetime.datetime.now() - datetime.timedelta(days=3)).timestamp()
+			session['client_id'] = 'other_client_id'
 			session['user_id'] = 1234
 			session['user_name'] = 'Test User'
 			session['user_nickname'] = 'testuser'
@@ -166,6 +182,7 @@ class TestCases(unittest.TestCase):
 	def test_logout(self):
 		with self.client.session_transaction() as session:
 			session['timestamp'] = datetime.datetime.now().timestamp()
+			session['client_id'] = 'test_client_id'
 			session['user_id'] = 1234
 			session['user_name'] = 'Test User'
 			session['user_nickname'] = 'testuser'
@@ -186,6 +203,7 @@ class TestCases(unittest.TestCase):
 	def test_logout_redirect(self):
 		with self.client.session_transaction() as session:
 			session['timestamp'] = datetime.datetime.now().timestamp()
+			session['client_id'] = 'test_client_id'
 			session['user_id'] = 1234
 			session['user_name'] = 'Test User'
 			session['user_nickname'] = 'testuser'
-- 
GitLab