diff options
-rw-r--r-- | python/fatcat_web/auth.py | 2 | ||||
-rw-r--r-- | python/fatcat_web/web_config.py | 6 |
2 files changed, 8 insertions, 0 deletions
diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py index 0bdb564f..8b57a8c0 100644 --- a/python/fatcat_web/auth.py +++ b/python/fatcat_web/auth.py @@ -28,6 +28,7 @@ def handle_token_login(token): abort(400) # fetch editor info editor = api.get_editor(editor_id) + session.permanent = True session['api_token'] = token session['editor'] = editor.to_dict() login_user(load_user(editor.editor_id)) @@ -64,6 +65,7 @@ def handle_oauth(remote, token, user_info): flash("Welcome back!") # write token and username to session + session.permanent = True session['api_token'] = api_token session['editor'] = editor.to_dict() diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py index 5713738c..85134762 100644 --- a/python/fatcat_web/web_config.py +++ b/python/fatcat_web/web_config.py @@ -34,6 +34,12 @@ class Config(object): GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default="bogus") GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default="bogus") + # protect cookies (which include API tokens) + SESSION_COOKIE_HTTPONLY = True + SESSION_COOKIE_SECURE = True + SESSION_COOKIE_SAMESITE = 'Lax' + PERMANENT_SESSION_LIFETIME = 2678400 # 31 days, in seconds + try: GIT_RELEASE = raven.fetch_git_sha('..') except Exception as e: |