summaryrefslogtreecommitdiffstats
path: root/python
diff options
context:
space:
mode:
Diffstat (limited to 'python')
-rw-r--r--python/fatcat_web/auth.py2
-rw-r--r--python/fatcat_web/web_config.py6
2 files changed, 8 insertions, 0 deletions
diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py
index 0bdb564f..8b57a8c0 100644
--- a/python/fatcat_web/auth.py
+++ b/python/fatcat_web/auth.py
@@ -28,6 +28,7 @@ def handle_token_login(token):
abort(400)
# fetch editor info
editor = api.get_editor(editor_id)
+ session.permanent = True
session['api_token'] = token
session['editor'] = editor.to_dict()
login_user(load_user(editor.editor_id))
@@ -64,6 +65,7 @@ def handle_oauth(remote, token, user_info):
flash("Welcome back!")
# write token and username to session
+ session.permanent = True
session['api_token'] = api_token
session['editor'] = editor.to_dict()
diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py
index 5713738c..85134762 100644
--- a/python/fatcat_web/web_config.py
+++ b/python/fatcat_web/web_config.py
@@ -34,6 +34,12 @@ class Config(object):
GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default="bogus")
GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default="bogus")
+ # protect cookies (which include API tokens)
+ SESSION_COOKIE_HTTPONLY = True
+ SESSION_COOKIE_SECURE = True
+ SESSION_COOKIE_SAMESITE = 'Lax'
+ PERMANENT_SESSION_LIFETIME = 2678400 # 31 days, in seconds
+
try:
GIT_RELEASE = raven.fetch_git_sha('..')
except Exception as e: