diff options
| author | Bryan Newbold <bnewbold@robocracy.org> | 2019-01-04 17:59:59 -0800 |
|---|---|---|
| committer | Bryan Newbold <bnewbold@robocracy.org> | 2019-01-04 17:59:59 -0800 |
| commit | 6eeead67f1d9af4ff2fc3c6c1188bc372e7d05a0 (patch) | |
| tree | eb5d07a42f68b389b561542e5f1a23f1b10d5eb8 | |
| parent | 084e476957ce80b456dcf0575de4efc7331d34f9 (diff) | |
| download | fatcat-6eeead67f1d9af4ff2fc3c6c1188bc372e7d05a0.tar.gz fatcat-6eeead67f1d9af4ff2fc3c6c1188bc372e7d05a0.zip | |
one-month default session; lock down cookies
| -rw-r--r-- | python/fatcat_web/auth.py | 2 | ||||
| -rw-r--r-- | python/fatcat_web/web_config.py | 6 |
2 files changed, 8 insertions, 0 deletions
diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py index 0bdb564f..8b57a8c0 100644 --- a/python/fatcat_web/auth.py +++ b/python/fatcat_web/auth.py @@ -28,6 +28,7 @@ def handle_token_login(token): abort(400) # fetch editor info editor = api.get_editor(editor_id) + session.permanent = True session['api_token'] = token session['editor'] = editor.to_dict() login_user(load_user(editor.editor_id)) @@ -64,6 +65,7 @@ def handle_oauth(remote, token, user_info): flash("Welcome back!") # write token and username to session + session.permanent = True session['api_token'] = api_token session['editor'] = editor.to_dict() diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py index 5713738c..85134762 100644 --- a/python/fatcat_web/web_config.py +++ b/python/fatcat_web/web_config.py @@ -34,6 +34,12 @@ class Config(object): GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default="bogus") GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default="bogus") + # protect cookies (which include API tokens) + SESSION_COOKIE_HTTPONLY = True + SESSION_COOKIE_SECURE = True + SESSION_COOKIE_SAMESITE = 'Lax' + PERMANENT_SESSION_LIFETIME = 2678400 # 31 days, in seconds + try: GIT_RELEASE = raven.fetch_git_sha('..') except Exception as e: |