From 409117f7a1827f16c5b4321acc4267d30e1d263d Mon Sep 17 00:00:00 2001 From: Julian Rother <julian@cccv.de> Date: Sun, 19 Sep 2021 23:42:13 +0200 Subject: [PATCH] Bind session to client id Fixes #5 --- app.py | 5 ++++- test_app.py | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/app.py b/app.py index 4354df4..f0a3c0e 100644 --- a/app.py +++ b/app.py @@ -22,6 +22,7 @@ def create_app(test_config=None): def auth(): try: timestamp = datetime.datetime.fromtimestamp(session['timestamp']) + client_id = session['client_id'] user_id = session['user_id'] user_name = session['user_name'] user_nickname = session['user_nickname'] @@ -32,7 +33,8 @@ def create_app(test_config=None): session.clear() session['cookies_enabled'] = True abort(401) - if datetime.datetime.now() - timestamp > datetime.timedelta(days=2): + if datetime.datetime.now() - timestamp > datetime.timedelta(days=2) or \ + client_id != request.headers['X-CLIENT-ID']: session.clear() session['cookies_enabled'] = True abort(401) @@ -85,6 +87,7 @@ def create_app(test_config=None): session.clear() session['timestamp'] = datetime.datetime.now().timestamp() + session['client_id'] = request.headers['X-CLIENT-ID'] session['user_id'] = userinfo['id'] session['user_name'] = userinfo['name'] session['user_nickname'] = userinfo['nickname'] diff --git a/test_app.py b/test_app.py index ac4db1c..08561f0 100644 --- a/test_app.py +++ b/test_app.py @@ -114,6 +114,7 @@ class TestCases(unittest.TestCase): self.assertEqual(r.location, 'https://127.0.0.123:7654/app') with self.client.session_transaction() as session: self.assertGreaterEqual(session['timestamp'], (datetime.datetime.now() - datetime.timedelta(seconds=60)).timestamp()) + self.assertEqual(session['client_id'], 'test_client_id') self.assertEqual(session['user_id'], 1234) self.assertEqual(session['user_name'], 'Test User') self.assertEqual(session['user_nickname'], 'testuser') @@ -136,6 +137,7 @@ class TestCases(unittest.TestCase): def test_auth_session(self): with self.client.session_transaction() as session: session['timestamp'] = datetime.datetime.now().timestamp() + session['client_id'] = 'test_client_id' session['user_id'] = 1234 session['user_name'] = 'Test User' session['user_nickname'] = 'testuser' @@ -154,6 +156,20 @@ class TestCases(unittest.TestCase): def test_auth_session_timeout(self): with self.client.session_transaction() as session: session['timestamp'] = (datetime.datetime.now() - datetime.timedelta(days=3)).timestamp() + session['client_id'] = 'test_client_id' + session['user_id'] = 1234 + session['user_name'] = 'Test User' + session['user_nickname'] = 'testuser' + session['user_email'] = 'test@example.com' + session['user_ldap_dn'] = 'uid=testuser,ou=users,dc=example,dc=com' + session['user_groups'] = ['uffd_access', 'users'] + r = self.client.get(path='/auth', headers=headers) + self.assertEqual(r.status_code, 401) + + def test_auth_session_wrong_client(self): + with self.client.session_transaction() as session: + session['timestamp'] = (datetime.datetime.now() - datetime.timedelta(days=3)).timestamp() + session['client_id'] = 'other_client_id' session['user_id'] = 1234 session['user_name'] = 'Test User' session['user_nickname'] = 'testuser' @@ -166,6 +182,7 @@ class TestCases(unittest.TestCase): def test_logout(self): with self.client.session_transaction() as session: session['timestamp'] = datetime.datetime.now().timestamp() + session['client_id'] = 'test_client_id' session['user_id'] = 1234 session['user_name'] = 'Test User' session['user_nickname'] = 'testuser' @@ -186,6 +203,7 @@ class TestCases(unittest.TestCase): def test_logout_redirect(self): with self.client.session_transaction() as session: session['timestamp'] = datetime.datetime.now().timestamp() + session['client_id'] = 'test_client_id' session['user_id'] = 1234 session['user_name'] = 'Test User' session['user_nickname'] = 'testuser' -- GitLab