sbp commented on code in PR #1150:
URL:
https://github.com/apache/tooling-trusted-releases/pull/1150#discussion_r3064490425
##########
atr/server.py:
##########
@@ -474,35 +475,45 @@ async def bind_request_context_vars() -> None:
@app.before_request
async def validate_session() -> None:
"""
- Check account is still active and augment cookie with additional
information
- Note - absolute session max lifetime (MAX_SESSION_AGE) is handled by
asfquart
+ Check account is still active via periodic LDAP liveness checks.
+ Absolute session max lifetime (MAX_SESSION_AGE) and idle timeout are
+ enforced by the session store during validate().
"""
- session = await asfquart.session.read()
- if session is None or session.uid is None:
+ session = await sessions.read()
+ if not isinstance(session, sql.UserSession):
return
+ quart.g.is_session_downgraded = session.downgrade_admin_to_user
+
conf = config.get()
account_check_interval = conf.ACCOUNT_CHECK_INTERVAL
- # Check if session has a check timestamp in metadata
- last_check = session.metadata.get("last_account_check")
+ # Check if session has a check timestamp
+ last_check = session.last_account_check
current_time = time.time()
- uid = str(session.uid)
+ uid = session.uid
if last_check is None or (current_time - last_check >
account_check_interval):
- # First time checking this session, record time
- session.metadata["last_account_check"] = current_time
if not await ldap.is_active(uid):
log.auth_failure("oauth", "account_deleted_or_banned", uid)
- asfquart.session.clear()
- raise base.ASFQuartException("Session expired", errorcode=401)
+ await asfquart.APP.sessions.revoke_by_uid(uid)
+ await asfquart.session.aclear()
+ sessions.invalidate_cache()
+ raise base.ASFQuartException("Account is disabled",
errorcode=401)
+
+ admin_uid = session.admin_uid
+ if isinstance(admin_uid, str) and admin_uid and (not await
ldap.is_active(admin_uid)):
+ log.auth_failure("oauth", "account_deleted_or_banned",
admin_uid)
+ await asfquart.APP.sessions.revoke_by_uid(admin_uid)
+ await asfquart.session.aclear()
+ sessions.invalidate_cache()
Review Comment:
Good idea, thanks. Coming up in the next commit.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
