This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch db/8526 in repository https://gitbox.apache.org/repos/asf/allura.git
commit 31caa73c4d7b8bb1acd855b14d5da02515d0bbde Author: Dave Brondsema <[email protected]> AuthorDate: Wed Nov 15 15:50:58 2023 -0500 [#8526] use new session cookie implementation --- Allura/allura/config/middleware.py | 5 ++++- Allura/allura/lib/decorators.py | 2 +- Allura/development.ini | 6 +++--- Allura/docs/getting_started/installation.rst | 9 +++------ Allura/production-docker-example.ini | 7 ++++--- requirements.in | 3 ++- requirements.txt | 12 ++++++++++-- 7 files changed, 27 insertions(+), 17 deletions(-) diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py index c7503f17a..c926292c4 100644 --- a/Allura/allura/config/middleware.py +++ b/Allura/allura/config/middleware.py @@ -37,6 +37,7 @@ import ew import formencode import ming from ming.odm.middleware import MingMiddleware +from beaker_session_jwt import JWTCookieSession # Must apply patches before other Allura imports to ensure all the patches are effective. # This file gets imported from paste/deploy/loadwsgi.py pretty early in the app execution @@ -135,7 +136,9 @@ def _make_core_app(root, global_conf: dict, **app_conf): # broswer permissions policy app = SetHeadersMiddleware(app, config) # Required for sessions - app = SessionMiddleware(app, config, data_serializer=BeakerPickleSerializerWithLatin1()) + app = SessionMiddleware(app, config, + original_format_data_serializer=BeakerPickleSerializerWithLatin1(), + session_class=JWTCookieSession) # Handle "Remember me" functionality app = RememberLoginMiddleware(app, config) # Redirect 401 to the login page diff --git a/Allura/allura/lib/decorators.py b/Allura/allura/lib/decorators.py index c889ea799..eaf8016f8 100644 --- a/Allura/allura/lib/decorators.py +++ b/Allura/allura/lib/decorators.py @@ -245,4 +245,4 @@ def memorable_forget(): forget(None, ex) raise ex - return _inner \ No newline at end of file + return _inner diff --git a/Allura/development.ini b/Allura/development.ini index 0f93fcc41..4cad5509a 100644 --- a/Allura/development.ini +++ b/Allura/development.ini @@ -107,13 +107,13 @@ jinja_cache_size = -1 ; Docs at http://beaker.readthedocs.org/en/latest/configuration.html#session-options ; and http://beaker.readthedocs.org/en/latest/modules/session.html#beaker.session.CookieSession +; and https://github.com/brondsem/beaker-session-jwt#additional-config-options session.key = allura -session.type = cookie session.httponly = true ; set this to true if you use HTTPS session.secure = false -; CHANGE THIS VALUE FOR YOUR SITE -session.validate_key = 714bfe3612c42390726f +; CHANGE THIS VALUE FOR YOUR SITE. Can be a comma-separated list to allow for key rotation +session.jwt_secret_keys = 330c2e698fcadfe46524b57223656404a47a9d80d76f8afb4cae34657247a1ea ; ; Settings for global navigation diff --git a/Allura/docs/getting_started/installation.rst b/Allura/docs/getting_started/installation.rst index 035c3f5ba..fddfa16f2 100644 --- a/Allura/docs/getting_started/installation.rst +++ b/Allura/docs/getting_started/installation.rst @@ -246,20 +246,17 @@ Change `[handler_console]` section, so that logs go to a file and will include b Add write permissions to the :file:`/path/to/allura.log` for the user you use to run allura proccess. -Change "secrets". +Change the secret key used for signing session cookies. .. code-block:: ini - beaker.session.secret = <your-secret-key> - beaker.session.validate_key = <yet-another-secret-key> - -The first one is used for simple cookies, the latter is used for encrypted cookies. + beaker.session.jwt_secret_keys = <secret-key> You can use the following command to generate a good key: .. code-block:: bash - ~$ python -c 'import secrets; print(secrets.token_hex(20));' + ~$ python -c 'import secrets; print(secrets.token_hex());' Production-quality web server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/Allura/production-docker-example.ini b/Allura/production-docker-example.ini index 55e5142bd..6ee0ddcee 100644 --- a/Allura/production-docker-example.ini +++ b/Allura/production-docker-example.ini @@ -24,7 +24,8 @@ ; Also change: ; site_name ; smtp_server -; session.validate_key +; session.jwt_secret_keys +; session.secure ; ; This file inherits settings from docker-dev.ini and development.ini ; You are free to make additional changes/additions to this file for other settings @@ -61,7 +62,7 @@ smtp_tls = true forgemail.domain = .myexamplesite.com forgemail.return_path = [email protected] -session.validate_key = 712de83fa0cb0d0f0a383 +session.jwt_secret_keys = d2de2cf67814d69691f77e390f14845aa5f5c8bb auth.allow_birth_date = false trovecategories.enableediting = admin @@ -172,4 +173,4 @@ datefmt = %H:%M:%S [formatter_timermiddleware] format = {"time": "%(asctime)s,%(msecs)03d", "level": "%(levelname)-5.5s", "name": "%(name)s", "message": %(message)s} -datefmt = %Y-%m-%d %H:%M:%S \ No newline at end of file +datefmt = %Y-%m-%d %H:%M:%S diff --git a/requirements.in b/requirements.in index 958f8870d..c242b2c3e 100644 --- a/requirements.in +++ b/requirements.in @@ -1,6 +1,7 @@ ActivityStream beautifulsoup4 Beaker +beaker-session-jwt colander cryptography decorator @@ -59,4 +60,4 @@ pytest-sugar # deployment gunicorn -pre-commit \ No newline at end of file +pre-commit diff --git a/requirements.txt b/requirements.txt index a2ae42e31..b19a0b427 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,7 +7,10 @@ activitystream==0.4.0 # via -r requirements.in beaker==1.12.1 - # via -r requirements.in + # via + # -r requirements.in + # beaker-session-jwt +beaker-session-jwt==1.0.0 beautifulsoup4==4.12.2 # via # -r requirements.in @@ -29,7 +32,9 @@ crank==0.8.1 creoleparser==0.7.5 # via pypeline cryptography==41.0.4 - # via -r requirements.in + # via + # -r requirements.in + # joserfc decorator==5.1.1 # via -r requirements.in diff-match-patch==20230430 @@ -85,6 +90,8 @@ iso8601==1.1.0 # via colander jinja2==3.1.2 # via -r requirements.in +joserfc==0.9.0 + # via beaker-session-jwt markdown==3.5 # via # -r requirements.in @@ -146,6 +153,7 @@ pymongo==3.13.0 # via # -r requirements.in # activitystream + # beaker-session-jwt # ming pypeline[creole,markdown,rst,textile]==0.6.1 # via -r requirements.in
