diff options
| author | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2013-04-09 19:40:54 +0200 |
|---|---|---|
| committer | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2013-04-09 19:40:54 +0200 |
| commit | 8021cc5605850c0dd24a86ff0128b5fad8e3f425 (patch) | |
| tree | 38befd9c14174b857bd2757accf27661f75e613e /mediagoblin/tools/session.py | |
| parent | b98882e16ee855af0e6d255cb5ec9ab6d800b3f4 (diff) | |
| parent | 3843697c288d1f6447745fd3c1beafd1732c1431 (diff) | |
| download | mediagoblin-8021cc5605850c0dd24a86ff0128b5fad8e3f425.tar.lz mediagoblin-8021cc5605850c0dd24a86ff0128b5fad8e3f425.tar.xz mediagoblin-8021cc5605850c0dd24a86ff0128b5fad8e3f425.zip | |
Merge remote-tracking branch 'brett/itsdangerous'
* brett/itsdangerous:
Call is_updated instead of testing it boolean.
Harden It's Dangerous key management.
First tests for the Session class.
Set a starting value for session.send_new_cookie.
Remove beaker stuff from the code.
Delete the session cookie on an empty session.
Back sessions with It's Dangerous.
Improve fs security for itsdangerous secret.
Docs for get_timed_signer_url.
Basic itsdangerous infrastructure.
Conflicts:
mediagoblin/tests/test_cache.py
Diffstat (limited to 'mediagoblin/tools/session.py')
| -rw-r--r-- | mediagoblin/tools/session.py | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/mediagoblin/tools/session.py b/mediagoblin/tools/session.py new file mode 100644 index 00000000..d452b851 --- /dev/null +++ b/mediagoblin/tools/session.py @@ -0,0 +1,67 @@ +# GNU MediaGoblin -- federated, autonomous media hosting +# Copyright (C) 2013 MediaGoblin contributors. See AUTHORS. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import itsdangerous +import logging + +import crypto + +_log = logging.getLogger(__name__) + +class Session(dict): + def __init__(self, *args, **kwargs): + self.send_new_cookie = False + dict.__init__(self, *args, **kwargs) + + def save(self): + self.send_new_cookie = True + + def is_updated(self): + return self.send_new_cookie + + def delete(self): + self.clear() + self.save() + + +class SessionManager(object): + def __init__(self, cookie_name='MGSession', namespace=None): + if namespace is None: + namespace = cookie_name + self.signer = crypto.get_timed_signer_url(namespace) + self.cookie_name = cookie_name + + def load_session_from_cookie(self, request): + cookie = request.cookies.get(self.cookie_name) + if not cookie: + return Session() + ### FIXME: Future cookie-blacklisting code + # m = BadCookie.query.filter_by(cookie = cookie) + # if m: + # _log.warn("Bad cookie received: %s", m.reason) + # raise BadRequest() + try: + return Session(self.signer.loads(cookie)) + except itsdangerous.BadData: + return Session() + + def save_session_to_cookie(self, session, response): + if not session.is_updated(): + return + elif not session: + response.delete_cookie(self.cookie_name) + else: + response.set_cookie(self.cookie_name, self.signer.dumps(session)) |