From 6eeead67f1d9af4ff2fc3c6c1188bc372e7d05a0 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Fri, 4 Jan 2019 17:59:59 -0800 Subject: one-month default session; lock down cookies --- python/fatcat_web/auth.py | 2 ++ python/fatcat_web/web_config.py | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py index 0bdb564f..8b57a8c0 100644 --- a/python/fatcat_web/auth.py +++ b/python/fatcat_web/auth.py @@ -28,6 +28,7 @@ def handle_token_login(token): abort(400) # fetch editor info editor = api.get_editor(editor_id) + session.permanent = True session['api_token'] = token session['editor'] = editor.to_dict() login_user(load_user(editor.editor_id)) @@ -64,6 +65,7 @@ def handle_oauth(remote, token, user_info): flash("Welcome back!") # write token and username to session + session.permanent = True session['api_token'] = api_token session['editor'] = editor.to_dict() diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py index 5713738c..85134762 100644 --- a/python/fatcat_web/web_config.py +++ b/python/fatcat_web/web_config.py @@ -34,6 +34,12 @@ class Config(object): GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default="bogus") GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default="bogus") + # protect cookies (which include API tokens) + SESSION_COOKIE_HTTPONLY = True + SESSION_COOKIE_SECURE = True + SESSION_COOKIE_SAMESITE = 'Lax' + PERMANENT_SESSION_LIFETIME = 2678400 # 31 days, in seconds + try: GIT_RELEASE = raven.fetch_git_sha('..') except Exception as e: -- cgit v1.2.3