From 6eeead67f1d9af4ff2fc3c6c1188bc372e7d05a0 Mon Sep 17 00:00:00 2001
From: Bryan Newbold <bnewbold@robocracy.org>
Date: Fri, 4 Jan 2019 17:59:59 -0800
Subject: one-month default session; lock down cookies

---
 python/fatcat_web/auth.py       | 2 ++
 python/fatcat_web/web_config.py | 6 ++++++
 2 files changed, 8 insertions(+)

(limited to 'python/fatcat_web')

diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py
index 0bdb564f..8b57a8c0 100644
--- a/python/fatcat_web/auth.py
+++ b/python/fatcat_web/auth.py
@@ -28,6 +28,7 @@ def handle_token_login(token):
         abort(400)
     # fetch editor info
     editor = api.get_editor(editor_id)
+    session.permanent = True
     session['api_token'] = token
     session['editor'] = editor.to_dict()
     login_user(load_user(editor.editor_id))
@@ -64,6 +65,7 @@ def handle_oauth(remote, token, user_info):
             flash("Welcome back!")
 
         # write token and username to session
+        session.permanent = True
         session['api_token'] = api_token
         session['editor'] = editor.to_dict()
 
diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py
index 5713738c..85134762 100644
--- a/python/fatcat_web/web_config.py
+++ b/python/fatcat_web/web_config.py
@@ -34,6 +34,12 @@ class Config(object):
     GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default="bogus")
     GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default="bogus")
 
+    # protect cookies (which include API tokens)
+    SESSION_COOKIE_HTTPONLY = True
+    SESSION_COOKIE_SECURE = True
+    SESSION_COOKIE_SAMESITE = 'Lax'
+    PERMANENT_SESSION_LIFETIME = 2678400 # 31 days, in seconds
+
     try:
         GIT_RELEASE = raven.fetch_git_sha('..')
     except Exception as e:
-- 
cgit v1.2.3