This is an automated email from the ASF dual-hosted git repository.
dill0wn pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/master by this push:
new 9be8b3156 [#8526] use new session cookie implementation
9be8b3156 is described below
commit 9be8b315669dff59979fbd258037c8aaadaf6d26
Author: Dave Brondsema <[email protected]>
AuthorDate: Wed Nov 15 15:50:58 2023 -0500
[#8526] use new session cookie implementation
---
Allura/allura/config/middleware.py | 13 ++++++++++++-
Allura/allura/lib/decorators.py | 2 +-
Allura/development.ini | 6 +++---
Allura/docs/getting_started/installation.rst | 9 +++------
Allura/production-docker-example.ini | 7 ++++---
requirements.in | 3 ++-
requirements.txt | 12 ++++++++++--
7 files changed, 35 insertions(+), 17 deletions(-)
diff --git a/Allura/allura/config/middleware.py
b/Allura/allura/config/middleware.py
index c7503f17a..f8378b1fe 100644
--- a/Allura/allura/config/middleware.py
+++ b/Allura/allura/config/middleware.py
@@ -21,6 +21,9 @@ import ast
import importlib
import mimetypes
import pickle
+import re
+import warnings
+
import six
import tg
import pkg_resources
@@ -37,6 +40,7 @@ import ew
import formencode
import ming
from ming.odm.middleware import MingMiddleware
+from beaker_session_jwt import JWTCookieSession
# Must apply patches before other Allura imports to ensure all the patches are
effective.
# This file gets imported from paste/deploy/loadwsgi.py pretty early in the
app execution
@@ -135,7 +139,14 @@ def _make_core_app(root, global_conf: dict, **app_conf):
# broswer permissions policy
app = SetHeadersMiddleware(app, config)
# Required for sessions
- app = SessionMiddleware(app, config,
data_serializer=BeakerPickleSerializerWithLatin1())
+ with warnings.catch_warnings():
+ # the session_class= arg triggers this warning but is the only way it
works, so suppress warning
+ warnings.filterwarnings('ignore',
+ re.escape('Session options should start with
session. instead of session_.'),
+ DeprecationWarning)
+ app = SessionMiddleware(app, config,
+
original_format_data_serializer=BeakerPickleSerializerWithLatin1(),
+ session_class=JWTCookieSession)
# Handle "Remember me" functionality
app = RememberLoginMiddleware(app, config)
# Redirect 401 to the login page
diff --git a/Allura/allura/lib/decorators.py b/Allura/allura/lib/decorators.py
index c889ea799..eaf8016f8 100644
--- a/Allura/allura/lib/decorators.py
+++ b/Allura/allura/lib/decorators.py
@@ -245,4 +245,4 @@ def memorable_forget():
forget(None, ex)
raise ex
- return _inner
\ No newline at end of file
+ return _inner
diff --git a/Allura/development.ini b/Allura/development.ini
index 0f93fcc41..4cad5509a 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -107,13 +107,13 @@ jinja_cache_size = -1
; Docs at
http://beaker.readthedocs.org/en/latest/configuration.html#session-options
; and
http://beaker.readthedocs.org/en/latest/modules/session.html#beaker.session.CookieSession
+; and https://github.com/brondsem/beaker-session-jwt#additional-config-options
session.key = allura
-session.type = cookie
session.httponly = true
; set this to true if you use HTTPS
session.secure = false
-; CHANGE THIS VALUE FOR YOUR SITE
-session.validate_key = 714bfe3612c42390726f
+; CHANGE THIS VALUE FOR YOUR SITE. Can be a comma-separated list to allow for
key rotation
+session.jwt_secret_keys =
330c2e698fcadfe46524b57223656404a47a9d80d76f8afb4cae34657247a1ea
;
; Settings for global navigation
diff --git a/Allura/docs/getting_started/installation.rst
b/Allura/docs/getting_started/installation.rst
index 035c3f5ba..fddfa16f2 100644
--- a/Allura/docs/getting_started/installation.rst
+++ b/Allura/docs/getting_started/installation.rst
@@ -246,20 +246,17 @@ Change `[handler_console]` section, so that logs go to a
file and will include b
Add write permissions to the :file:`/path/to/allura.log` for the user you use
to run allura proccess.
-Change "secrets".
+Change the secret key used for signing session cookies.
.. code-block:: ini
- beaker.session.secret = <your-secret-key>
- beaker.session.validate_key = <yet-another-secret-key>
-
-The first one is used for simple cookies, the latter is used for encrypted
cookies.
+ beaker.session.jwt_secret_keys = <secret-key>
You can use the following command to generate a good key:
.. code-block:: bash
- ~$ python -c 'import secrets; print(secrets.token_hex(20));'
+ ~$ python -c 'import secrets; print(secrets.token_hex());'
Production-quality web server
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/Allura/production-docker-example.ini
b/Allura/production-docker-example.ini
index 55e5142bd..6ee0ddcee 100644
--- a/Allura/production-docker-example.ini
+++ b/Allura/production-docker-example.ini
@@ -24,7 +24,8 @@
; Also change:
; site_name
; smtp_server
-; session.validate_key
+; session.jwt_secret_keys
+; session.secure
;
; This file inherits settings from docker-dev.ini and development.ini
; You are free to make additional changes/additions to this file for other
settings
@@ -61,7 +62,7 @@ smtp_tls = true
forgemail.domain = .myexamplesite.com
forgemail.return_path = [email protected]
-session.validate_key = 712de83fa0cb0d0f0a383
+session.jwt_secret_keys = d2de2cf67814d69691f77e390f14845aa5f5c8bb
auth.allow_birth_date = false
trovecategories.enableediting = admin
@@ -172,4 +173,4 @@ datefmt = %H:%M:%S
[formatter_timermiddleware]
format = {"time": "%(asctime)s,%(msecs)03d", "level": "%(levelname)-5.5s",
"name": "%(name)s", "message": %(message)s}
-datefmt = %Y-%m-%d %H:%M:%S
\ No newline at end of file
+datefmt = %Y-%m-%d %H:%M:%S
diff --git a/requirements.in b/requirements.in
index 958f8870d..c242b2c3e 100644
--- a/requirements.in
+++ b/requirements.in
@@ -1,6 +1,7 @@
ActivityStream
beautifulsoup4
Beaker
+beaker-session-jwt
colander
cryptography
decorator
@@ -59,4 +60,4 @@ pytest-sugar
# deployment
gunicorn
-pre-commit
\ No newline at end of file
+pre-commit
diff --git a/requirements.txt b/requirements.txt
index a2ae42e31..ea952ff0e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,7 +7,10 @@
activitystream==0.4.0
# via -r requirements.in
beaker==1.12.1
- # via -r requirements.in
+ # via
+ # -r requirements.in
+ # beaker-session-jwt
+beaker-session-jwt==1.0.1
beautifulsoup4==4.12.2
# via
# -r requirements.in
@@ -29,7 +32,9 @@ crank==0.8.1
creoleparser==0.7.5
# via pypeline
cryptography==41.0.4
- # via -r requirements.in
+ # via
+ # -r requirements.in
+ # joserfc
decorator==5.1.1
# via -r requirements.in
diff-match-patch==20230430
@@ -85,6 +90,8 @@ iso8601==1.1.0
# via colander
jinja2==3.1.2
# via -r requirements.in
+joserfc==0.9.0
+ # via beaker-session-jwt
markdown==3.5
# via
# -r requirements.in
@@ -146,6 +153,7 @@ pymongo==3.13.0
# via
# -r requirements.in
# activitystream
+ # beaker-session-jwt
# ming
pypeline[creole,markdown,rst,textile]==0.6.1
# via -r requirements.in
