Skip to content
Snippets Groups Projects
Commit ea7786a1 authored by Julian's avatar Julian
Browse files

Limit session lifetime to two days

Fixes #3
parent 8b9bcbb7
Branches
Tags
No related merge requests found
import os
import secrets
import datetime
from flask import Flask, session, request, redirect, abort, Response, url_for
......@@ -20,13 +21,19 @@ def create_app(test_config=None):
@app.route('/auth')
def auth():
try:
timestamp = datetime.datetime.fromtimestamp(session['timestamp'])
user_id = session['user_id']
user_name = session['user_name']
user_nickname = session['user_nickname']
user_email = session['user_email']
user_ldap_dn = session['user_ldap_dn']
user_groups = session['user_groups']
except KeyError:
except (KeyError, OverflowError):
session.clear()
session['cookies_enabled'] = True
abort(401)
if datetime.datetime.now() - timestamp > datetime.timedelta(days=2):
session.clear()
session['cookies_enabled'] = True
abort(401)
resp = Response('Ok', 200)
......@@ -47,6 +54,7 @@ def create_app(test_config=None):
# The cookies_enabled check prevents redirect loops:
# login (sets state) -> idp_authorize -> callback (no state set) -> login
if not session.get('cookies_enabled'):
session.clear()
session['cookies_enabled'] = True
abort(400, description='Enable cookies and reload two times to continue')
client = get_oauth()
......@@ -76,6 +84,7 @@ def create_app(test_config=None):
userinfo = client.get(app.config['OAUTH2_USERINFO_URL']).json()
session.clear()
session['timestamp'] = datetime.datetime.now().timestamp()
session['user_id'] = userinfo['id']
session['user_name'] = userinfo['name']
session['user_nickname'] = userinfo['nickname']
......
......@@ -5,6 +5,7 @@ except ImportError:
from unittest import mock
import json
import urllib.parse
import datetime
from requests import Session, Response
......@@ -112,6 +113,7 @@ class TestCases(unittest.TestCase):
self.assertEqual(r.status_code, 302)
self.assertEqual(r.location, 'https://127.0.0.123:7654/app')
with self.client.session_transaction() as session:
self.assertGreaterEqual(session['timestamp'], (datetime.datetime.now() - datetime.timedelta(seconds=60)).timestamp())
self.assertEqual(session['user_id'], 1234)
self.assertEqual(session['user_name'], 'Test User')
self.assertEqual(session['user_nickname'], 'testuser')
......@@ -133,6 +135,7 @@ class TestCases(unittest.TestCase):
def test_auth_session(self):
with self.client.session_transaction() as session:
session['timestamp'] = datetime.datetime.now().timestamp()
session['user_id'] = 1234
session['user_name'] = 'Test User'
session['user_nickname'] = 'testuser'
......@@ -148,8 +151,21 @@ class TestCases(unittest.TestCase):
self.assertEqual(r.headers['OAUTH-USER-LDAP-DN'], 'uid=testuser,ou=users,dc=example,dc=com')
self.assertIn(r.headers['OAUTH-USER-GROUPS'], ['uffd_access,users', 'users,uffd_access'])
def test_auth_session_timeout(self):
with self.client.session_transaction() as session:
session['timestamp'] = (datetime.datetime.now() - datetime.timedelta(days=3)).timestamp()
session['user_id'] = 1234
session['user_name'] = 'Test User'
session['user_nickname'] = 'testuser'
session['user_email'] = 'test@example.com'
session['user_ldap_dn'] = 'uid=testuser,ou=users,dc=example,dc=com'
session['user_groups'] = ['uffd_access', 'users']
r = self.client.get(path='/auth', headers=headers)
self.assertEqual(r.status_code, 401)
def test_logout(self):
with self.client.session_transaction() as session:
session['timestamp'] = datetime.datetime.now().timestamp()
session['user_id'] = 1234
session['user_name'] = 'Test User'
session['user_nickname'] = 'testuser'
......@@ -169,6 +185,7 @@ class TestCases(unittest.TestCase):
def test_logout_redirect(self):
with self.client.session_transaction() as session:
session['timestamp'] = datetime.datetime.now().timestamp()
session['user_id'] = 1234
session['user_name'] = 'Test User'
session['user_nickname'] = 'testuser'
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment