diff options
| author | Daniel Schadt <kingdread@gmx.de> | 2023-10-15 00:06:09 +0200 | 
|---|---|---|
| committer | Daniel Schadt <kingdread@gmx.de> | 2023-10-15 00:06:09 +0200 | 
| commit | fcb0f5cd199e68fff502943e048db2d0ac93503a (patch) | |
| tree | 82e27ca1a86c0b59c0201753732562f3037efcc8 | |
| parent | ab37c2dcbcc6916d38ecc2c3e59d9c94711e52fb (diff) | |
| parent | bae6499475d0f9f735caebeda56755183ced5aeb (diff) | |
| download | fietsboek-fcb0f5cd199e68fff502943e048db2d0ac93503a.tar.gz fietsboek-fcb0f5cd199e68fff502943e048db2d0ac93503a.tar.bz2 fietsboek-fcb0f5cd199e68fff502943e048db2d0ac93503a.zip | |
Merge branch 'session-secrets'
| -rw-r--r-- | doc/developer.rst | 1 | ||||
| -rw-r--r-- | doc/developer/authentication.rst | 115 | ||||
| -rw-r--r-- | fietsboek/alembic/versions/20230914_4566843039d6.py | 37 | ||||
| -rw-r--r-- | fietsboek/locale/de/LC_MESSAGES/messages.mo | bin | 14714 -> 15259 bytes | |||
| -rw-r--r-- | fietsboek/locale/de/LC_MESSAGES/messages.po | 41 | ||||
| -rw-r--r-- | fietsboek/locale/en/LC_MESSAGES/messages.mo | bin | 13738 -> 14269 bytes | |||
| -rw-r--r-- | fietsboek/locale/en/LC_MESSAGES/messages.po | 41 | ||||
| -rw-r--r-- | fietsboek/locale/fietslog.pot | 38 | ||||
| -rw-r--r-- | fietsboek/models/user.py | 38 | ||||
| -rw-r--r-- | fietsboek/routes.py | 1 | ||||
| -rw-r--r-- | fietsboek/scripts/fietsctl.py | 1 | ||||
| -rw-r--r-- | fietsboek/templates/user_data.jinja2 | 11 | ||||
| -rw-r--r-- | fietsboek/views/account.py | 1 | ||||
| -rw-r--r-- | fietsboek/views/user_data.py | 26 | ||||
| -rw-r--r-- | tests/playwright/conftest.py | 2 | 
15 files changed, 304 insertions, 49 deletions
| diff --git a/doc/developer.rst b/doc/developer.rst index 8b41c60..02876dc 100644 --- a/doc/developer.rst +++ b/doc/developer.rst @@ -8,6 +8,7 @@ Developer Guide      developer/localize      developer/language-pack      developer/js-css +    developer/authentication      Python Packages <developer/module/modules>  This guide contains information for developers that want to modify or extend diff --git a/doc/developer/authentication.rst b/doc/developer/authentication.rst new file mode 100644 index 0000000..c52abeb --- /dev/null +++ b/doc/developer/authentication.rst @@ -0,0 +1,115 @@ +Authentication & Sessions +========================= + +This document gives a quick overview over the way that Fietsboek uses sessions +and authenticates users, going a bit into the technical details and reasoning +behind them. Fietsboek mostly uses `Pyramid's authentication facilities`_, +using hashed passwords in the database, and combining both the +``SessionAuthenticationHelper`` and the ``AuthTktCookieHelper``. + +.. _Pyramid's authentication facilities: https://docs.pylonsproject.org/projects/pyramid/en/latest/api/authentication.html + +Password Storage +---------------- + +Fietsboek stores passwords as a salted `scrypt`_ hash, using the implementation +in the `cryptography`_ library. The parameters Fietsboek uses are taken from +the ``cryptography`` documentation, which in turn takes them from `RFC 7914`_: + +.. code:: python + +    SCRYPT_PARAMETERS = { +        "length": 32, +        "n": 2**14, +        "r": 8, +        "p": 1, +    } + +We note that the recommendation is from 2016, so a slightly increased value of +``n`` could be chosen to stay around the 100 ms target. The `Go documentation`_ +mentions ``n = 2**15``. The reason why this is not updated yet is that it would +require logic to update password hashes when users log in, which has not been +implemented. + +The randomness for the salt is taken from Python's built-in `secrets`_ module, +using high-quality random sources. + +.. _scrypt: https://en.wikipedia.org/wiki/Scrypt +.. _cryptography: https://cryptography.io/en/latest/ +.. _RFC 7914: https://datatracker.ietf.org/doc/html/rfc7914.html +.. _Go documentation: https://pkg.go.dev/golang.org/x/crypto/scrypt#Key +.. _secrets: https://docs.python.org/3/library/secrets.html + +Cookies +------- + +The authentication logic uses two cookies: one session cookie for normal +log-ins, and one long-lived cookie for the "Remember me" functionality. The +reason for the cookie split is that session cookies expire after a few minutes, +and by keeping a separate long-lived cookie, we can realize a "Remember me" +functionality without destroying the timeout for the remainder of the session +data. + +The flow in the login handler therefore does two steps: + +#. If the session contains a valid user data, the user is considered +   authenticated. +#. If not, the "Remember me"-cookie is checked. If it contains a valid user +   data, the session fingerprint is set to match, and the user is +   considered authenticated. + +The user data in the cookie consists of two parts: the user ID in plain, which +is used to quickly retrieve the right user from the database, and the user +fingerprint, which is used to verify that the user is the correct one (see +below). + +It is important to note that the session and the cookie are signed with the +application secret. Therefore, it is not possible to easily forge a valid +authentication cookie. + +User Fingerprint +---------------- + +The cookie signature makes it hard to forge valid authentication tokens in the +first place. However, even with the signature mechanism in place, there are (at +least) two possible issues if we leave away the extra fingerprint: + +Firstly, while no "new" authentication cookies can be forged, a legitimate +cookie that is saved might lead to a wrong user being retrieved. For example, +if someone saves their authentication cookie, then deletes their user account, +and the database re-uses the ID for the next new user, then the old +authentication cookie could be used to gain access to the new account. + +Secondly, as sessions and cookies are client-side, we cannot influence them +from the server. Therefore, there would be no way to invalidate a specific +cookie, or all authentication cookies for a specific user (short of changing +the application secret and invalidating *all* cookies). To provide a "Log out +all sessions" functionality, we need a way to invalidate sessions remotely. + +To solve those problems, we add a cryptographic hash (more precisely, a 10 byte +SHAKE_ hash) to the authentication cookie, which is formed over the following +data points: + +* The user's email address +* The hash of the user's password +* A random session secret, specific to each user + +This means that if any of those data points changes, the fingerprint will +change, and old authentication sessions and cookies will no longer be valid: + +* If the user changes their email address, we consider this a relevant change, +  and require the user to login again. +* If a user changes their password, all sessions are also invalidated, and the +  user needs to login again. +* If we want to invalidate the sessions without setting a new password (e.g. +  because the user requests it), we simply set a new random session secret for +  the user. + +We note that the fingerprint only offers 80 bits of security (which is rather +low), but the fingerprint is not the main line of defense against forged +logins: the main source of security for forged logins is the cookie signature. +The fingerprint only ensures that no "user mixups" can occur. So not only would +you need to brute-force the correct 80 bits of fingerprint, but for each +fingerprint you also need to generate a valid signature. + +.. _SHAKE: https://en.wikipedia.org/wiki/SHA-3 diff --git a/fietsboek/alembic/versions/20230914_4566843039d6.py b/fietsboek/alembic/versions/20230914_4566843039d6.py new file mode 100644 index 0000000..28dcbda --- /dev/null +++ b/fietsboek/alembic/versions/20230914_4566843039d6.py @@ -0,0 +1,37 @@ +"""Add session_secret column. + +Revision ID: 4566843039d6 +Revises: 8f4e4eae5eb2 +Create Date: 2023-09-14 19:33:51.646943 + +""" +import secrets + +import sqlalchemy as sa +from alembic import op + +# revision identifiers, used by Alembic. +revision = '4566843039d6' +down_revision = '8f4e4eae5eb2' +branch_labels = None +depends_on = None + +def upgrade(): +    # ### commands auto generated by Alembic - please adjust! ### +    op.add_column('users', sa.Column('session_secret', sa.LargeBinary(length=32), nullable=True)) +    bind = op.get_bind() +    user_ids = bind.execute(sa.text("SELECT id FROM users;")).scalars() +    for user_id in user_ids: +        bind.execute( +            sa.text("UPDATE users SET session_secret=:secret WHERE id=:user_id;"), +            { +                "secret": secrets.token_bytes(32), +                "user_id": user_id, +            }, +        ) +    # ### end Alembic commands ### + +def downgrade(): +    # ### commands auto generated by Alembic - please adjust! ### +    op.drop_column('users', 'session_secret') +    # ### end Alembic commands ### diff --git a/fietsboek/locale/de/LC_MESSAGES/messages.mo b/fietsboek/locale/de/LC_MESSAGES/messages.moBinary files differ index e6dd1c6..f2bf3ea 100644 --- a/fietsboek/locale/de/LC_MESSAGES/messages.mo +++ b/fietsboek/locale/de/LC_MESSAGES/messages.mo diff --git a/fietsboek/locale/de/LC_MESSAGES/messages.po b/fietsboek/locale/de/LC_MESSAGES/messages.po index b34e849..69723be 100644 --- a/fietsboek/locale/de/LC_MESSAGES/messages.po +++ b/fietsboek/locale/de/LC_MESSAGES/messages.po @@ -7,7 +7,7 @@ msgid ""  msgstr ""  "Project-Id-Version: PROJECT VERSION\n"  "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n" -"POT-Creation-Date: 2023-08-17 22:51+0200\n" +"POT-Creation-Date: 2023-09-14 20:05+0200\n"  "PO-Revision-Date: 2022-07-02 17:35+0200\n"  "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"  "Language: de\n" @@ -753,22 +753,37 @@ msgid "page.my_profile.personal_data.save"  msgstr "Speichern"  #: fietsboek/templates/user_data.jinja2:38 +msgid "page.my_profile.session_logout.title" +msgstr "Sitzungen abmelden" + +#: fietsboek/templates/user_data.jinja2:40 +msgid "page.my_profile.session_logout.explanation" +msgstr "" +"Mit dieser Funktion können alle Sitzungen beendet werden. Dies ist nützlich, " +"wenn Du vergessen hast, dich auf einem fremden Gerät abzumelden. Beachte, dass " +"Du dich erneut anmelden musst, wenn Du diese Funktion nutzt!" + +#: fietsboek/templates/user_data.jinja2:44 +msgid "page.my_profile.session_logout.button" +msgstr "Alle Sitzungen beenden" + +#: fietsboek/templates/user_data.jinja2:49  msgid "page.my_profile.friends"  msgstr "Freunde" -#: fietsboek/templates/user_data.jinja2:46 +#: fietsboek/templates/user_data.jinja2:57  msgid "page.my_profile.unfriend"  msgstr "Entfreunden" -#: fietsboek/templates/user_data.jinja2:56 +#: fietsboek/templates/user_data.jinja2:67  msgid "page.my_profile.accept_friend"  msgstr "Annehmen" -#: fietsboek/templates/user_data.jinja2:73 +#: fietsboek/templates/user_data.jinja2:84  msgid "page.my_profile.friend_request_email"  msgstr "E-Mail-Adresse des Freundes" -#: fietsboek/templates/user_data.jinja2:77 +#: fietsboek/templates/user_data.jinja2:88  msgid "page.my_profile.send_friend_request"  msgstr "Freundschaftsanfrage senden" @@ -808,7 +823,7 @@ msgstr "Ungültiger Name"  msgid "flash.invalid_email"  msgstr "Ungültige E-Mail-Adresse" -#: fietsboek/views/account.py:67 +#: fietsboek/views/account.py:68  msgid "flash.a_confirmation_link_has_been_sent"  msgstr "Ein Bestätigungslink wurde versandt" @@ -900,23 +915,27 @@ msgstr "Hochladen erfolgreich"  msgid "flash.upload_cancelled"  msgstr "Hochladen abgebrochen" -#: fietsboek/views/user_data.py:61 +#: fietsboek/views/user_data.py:66  msgid "flash.personal_data_updated"  msgstr "Persönliche Daten wurden gespeichert" -#: fietsboek/views/user_data.py:79 +#: fietsboek/views/user_data.py:85  msgid "flash.friend_not_found"  msgstr "Das angegebene Konto wurde nicht gefunden" -#: fietsboek/views/user_data.py:85 +#: fietsboek/views/user_data.py:91  msgid "flash.friend_already_exists"  msgstr "Dieser Freund existiert bereits" -#: fietsboek/views/user_data.py:93 +#: fietsboek/views/user_data.py:99  msgid "flash.friend_added"  msgstr "Freund hinzugefügt" -#: fietsboek/views/user_data.py:103 +#: fietsboek/views/user_data.py:109  msgid "flash.friend_request_sent"  msgstr "Freundschaftsanfrage gesendet" +#: fietsboek/views/user_data.py:195 +msgid "flash.sessions_logged_out" +msgstr "Die Sitzungen wurden beendet. Melde Dich bitte erneut an, um fortzufahren." + diff --git a/fietsboek/locale/en/LC_MESSAGES/messages.mo b/fietsboek/locale/en/LC_MESSAGES/messages.moBinary files differ index 56137c1..da23e31 100644 --- a/fietsboek/locale/en/LC_MESSAGES/messages.mo +++ b/fietsboek/locale/en/LC_MESSAGES/messages.mo diff --git a/fietsboek/locale/en/LC_MESSAGES/messages.po b/fietsboek/locale/en/LC_MESSAGES/messages.po index c1ff29e..45b15cc 100644 --- a/fietsboek/locale/en/LC_MESSAGES/messages.po +++ b/fietsboek/locale/en/LC_MESSAGES/messages.po @@ -7,7 +7,7 @@ msgid ""  msgstr ""  "Project-Id-Version: PROJECT VERSION\n"  "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n" -"POT-Creation-Date: 2023-08-17 22:51+0200\n" +"POT-Creation-Date: 2023-09-14 20:05+0200\n"  "PO-Revision-Date: 2023-04-03 20:42+0200\n"  "Last-Translator: \n"  "Language: en\n" @@ -747,22 +747,37 @@ msgid "page.my_profile.personal_data.save"  msgstr "Save"  #: fietsboek/templates/user_data.jinja2:38 +msgid "page.my_profile.session_logout.title" +msgstr "Invalidate sessions" + +#: fietsboek/templates/user_data.jinja2:40 +msgid "page.my_profile.session_logout.explanation" +msgstr "" +"With this functionality, you can force all of your current sessions " +"to be logged out. This is useful when you forgot to log out on a foreign " +"device. Note that you will have to log in again after using this function." + +#: fietsboek/templates/user_data.jinja2:44 +msgid "page.my_profile.session_logout.button" +msgstr "Close all sessions" + +#: fietsboek/templates/user_data.jinja2:49  msgid "page.my_profile.friends"  msgstr "Friends" -#: fietsboek/templates/user_data.jinja2:46 +#: fietsboek/templates/user_data.jinja2:57  msgid "page.my_profile.unfriend"  msgstr "Unfriend" -#: fietsboek/templates/user_data.jinja2:56 +#: fietsboek/templates/user_data.jinja2:67  msgid "page.my_profile.accept_friend"  msgstr "Accept" -#: fietsboek/templates/user_data.jinja2:73 +#: fietsboek/templates/user_data.jinja2:84  msgid "page.my_profile.friend_request_email"  msgstr "Email of the friend" -#: fietsboek/templates/user_data.jinja2:77 +#: fietsboek/templates/user_data.jinja2:88  msgid "page.my_profile.send_friend_request"  msgstr "Send friend request" @@ -798,7 +813,7 @@ msgstr "Invalid name"  msgid "flash.invalid_email"  msgstr "Invalid email" -#: fietsboek/views/account.py:67 +#: fietsboek/views/account.py:68  msgid "flash.a_confirmation_link_has_been_sent"  msgstr "A confirmation link has been sent" @@ -889,23 +904,27 @@ msgstr "Upload successful"  msgid "flash.upload_cancelled"  msgstr "Upload cancelled" -#: fietsboek/views/user_data.py:61 +#: fietsboek/views/user_data.py:66  msgid "flash.personal_data_updated"  msgstr "Personal data has been updated" -#: fietsboek/views/user_data.py:79 +#: fietsboek/views/user_data.py:85  msgid "flash.friend_not_found"  msgstr "The friend was not found" -#: fietsboek/views/user_data.py:85 +#: fietsboek/views/user_data.py:91  msgid "flash.friend_already_exists"  msgstr "Friend already exists" -#: fietsboek/views/user_data.py:93 +#: fietsboek/views/user_data.py:99  msgid "flash.friend_added"  msgstr "Friend has been added" -#: fietsboek/views/user_data.py:103 +#: fietsboek/views/user_data.py:109  msgid "flash.friend_request_sent"  msgstr "Friend request sent" +#: fietsboek/views/user_data.py:195 +msgid "flash.sessions_logged_out" +msgstr "All sessions have been logged out. Please log in again to continue." + diff --git a/fietsboek/locale/fietslog.pot b/fietsboek/locale/fietslog.pot index ed93194..b87785e 100644 --- a/fietsboek/locale/fietslog.pot +++ b/fietsboek/locale/fietslog.pot @@ -8,7 +8,7 @@ msgid ""  msgstr ""  "Project-Id-Version: PROJECT VERSION\n"  "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n" -"POT-Creation-Date: 2023-08-17 22:51+0200\n" +"POT-Creation-Date: 2023-09-14 20:05+0200\n"  "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"  "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"  "Language-Team: LANGUAGE <LL@li.org>\n" @@ -739,22 +739,34 @@ msgid "page.my_profile.personal_data.save"  msgstr ""  #: fietsboek/templates/user_data.jinja2:38 +msgid "page.my_profile.session_logout.title" +msgstr "" + +#: fietsboek/templates/user_data.jinja2:40 +msgid "page.my_profile.session_logout.explanation" +msgstr "" + +#: fietsboek/templates/user_data.jinja2:44 +msgid "page.my_profile.session_logout.button" +msgstr "" + +#: fietsboek/templates/user_data.jinja2:49  msgid "page.my_profile.friends"  msgstr "" -#: fietsboek/templates/user_data.jinja2:46 +#: fietsboek/templates/user_data.jinja2:57  msgid "page.my_profile.unfriend"  msgstr "" -#: fietsboek/templates/user_data.jinja2:56 +#: fietsboek/templates/user_data.jinja2:67  msgid "page.my_profile.accept_friend"  msgstr "" -#: fietsboek/templates/user_data.jinja2:73 +#: fietsboek/templates/user_data.jinja2:84  msgid "page.my_profile.friend_request_email"  msgstr "" -#: fietsboek/templates/user_data.jinja2:77 +#: fietsboek/templates/user_data.jinja2:88  msgid "page.my_profile.send_friend_request"  msgstr "" @@ -790,7 +802,7 @@ msgstr ""  msgid "flash.invalid_email"  msgstr "" -#: fietsboek/views/account.py:67 +#: fietsboek/views/account.py:68  msgid "flash.a_confirmation_link_has_been_sent"  msgstr "" @@ -878,23 +890,27 @@ msgstr ""  msgid "flash.upload_cancelled"  msgstr "" -#: fietsboek/views/user_data.py:61 +#: fietsboek/views/user_data.py:66  msgid "flash.personal_data_updated"  msgstr "" -#: fietsboek/views/user_data.py:79 +#: fietsboek/views/user_data.py:85  msgid "flash.friend_not_found"  msgstr "" -#: fietsboek/views/user_data.py:85 +#: fietsboek/views/user_data.py:91  msgid "flash.friend_already_exists"  msgstr "" -#: fietsboek/views/user_data.py:93 +#: fietsboek/views/user_data.py:99  msgid "flash.friend_added"  msgstr "" -#: fietsboek/views/user_data.py:103 +#: fietsboek/views/user_data.py:109  msgid "flash.friend_request_sent"  msgstr "" +#: fietsboek/views/user_data.py:195 +msgid "flash.sessions_logged_out" +msgstr "" + diff --git a/fietsboek/models/user.py b/fietsboek/models/user.py index 432c61d..36cdbc9 100644 --- a/fietsboek/models/user.py +++ b/fietsboek/models/user.py @@ -59,6 +59,8 @@ SCRYPT_PARAMETERS = {      "p": 1,  }  SALT_LENGTH = 32 +SESSION_SECRET_LENGTH = 32 +"""Length of the secret bytes for the user's session."""  TOKEN_LIFETIME = datetime.timedelta(hours=24)  """Maximum validity time of a token.""" @@ -90,6 +92,8 @@ class User(Base):      :vartype salt: bytes      :ivar email: Email address of the user.      :vartype email: str +    :ivar session_secret: Secret bytes for the session fingerprint. +    :vartype session_secret: bytes      :ivar is_admin: Flag determining whether this user has admin access.      :vartype is_admin: bool      :ivar is_verified: Flag determining whether this user has been verified. @@ -112,6 +116,7 @@ class User(Base):      password = Column(LargeBinary)      salt = Column(LargeBinary)      email = Column(Text) +    session_secret = Column(LargeBinary(SESSION_SECRET_LENGTH))      is_admin = Column(Boolean, default=False)      is_verified = Column(Boolean, default=False) @@ -187,6 +192,17 @@ class User(Base):          ]          return acl +    def _fingerprint(self) -> str: +        # We're not interested in hiding the data by all means, we just want a +        # good check to see whether the email of the represented user actually +        # matches with the database entry. Therefore, we use a short SHAKE hash. +        email = self.email or "" +        shaker = hashlib.shake_128() +        shaker.update(email.encode("utf-8")) +        shaker.update(self.password or b"") +        shaker.update(self.session_secret or b"") +        return shaker.hexdigest(FINGERPRINT_SHAKE_BYTES) +      def authenticated_user_id(self) -> str:          """Returns a string suitable to re-identify this user, e.g. in a cookie          or session. @@ -196,12 +212,7 @@ class User(Base):          :return: The string used to re-identify this user.          """ -        # We're not interested in hiding the email by all means, we just want a -        # good check to see whether the email of the represented user actually -        # matches with the database entry. Therefore, we use a short SHAKE hash. -        email = self.email or "" -        shaker = hashlib.shake_128(email.encode("utf-8")) -        fingerprint = shaker.hexdigest(FINGERPRINT_SHAKE_BYTES) +        fingerprint = self._fingerprint()          return f"{self.id}-{fingerprint}"      @classmethod @@ -229,11 +240,8 @@ class User(Base):              user = session.execute(query).scalar_one()          except NoResultFound:              return None -        email = user.email or "" -        user_fingerprint = hashlib.shake_128(email.encode("utf-8")).hexdigest( -            FINGERPRINT_SHAKE_BYTES -        ) -        if user_fingerprint != fingerprint: +        # pylint: disable=protected-access +        if user._fingerprint() != fingerprint:              return None          return user @@ -270,6 +278,14 @@ class User(Base):          except InvalidKey:              raise PasswordMismatch from None +    def roll_session_secret(self): +        """Rolls a new session secret for the user. + +        This function automatically generates the right amount of random bytes +        from a secure source. +        """ +        self.session_secret = secrets.token_bytes(SESSION_SECRET_LENGTH) +      def principals(self):          """Returns all principals that this user fulfills. diff --git a/fietsboek/routes.py b/fietsboek/routes.py index 36233e6..480094c 100644 --- a/fietsboek/routes.py +++ b/fietsboek/routes.py @@ -60,6 +60,7 @@ def includeme(config):      config.add_route("accept-friend", "/me/accept-friend")      config.add_route("json-friends", "/me/friends.json")      config.add_route("toggle-favourite", "/me/toggle-favourite") +    config.add_route("force-logout", "/me/force-logout")      config.add_route("profile", "/user/{user_id}", factory="fietsboek.models.User.factory")      config.add_route( diff --git a/fietsboek/scripts/fietsctl.py b/fietsboek/scripts/fietsctl.py index 3e987d5..d0b5639 100644 --- a/fietsboek/scripts/fietsctl.py +++ b/fietsboek/scripts/fietsctl.py @@ -111,6 +111,7 @@ def cmd_user_add(      user = models.User(name=name, email=email, is_verified=True, is_admin=admin)      user.set_password(password) +    user.roll_session_secret()      with env["request"].tm:          dbsession = env["request"].dbsession diff --git a/fietsboek/templates/user_data.jinja2 b/fietsboek/templates/user_data.jinja2 index 15588e8..59124ea 100644 --- a/fietsboek/templates/user_data.jinja2 +++ b/fietsboek/templates/user_data.jinja2 @@ -35,6 +35,17 @@    <hr> +  <h2>{{ _("page.my_profile.session_logout.title") }}</h2> + +  <p>{{ _("page.my_profile.session_logout.explanation") }}</p> + +  <form method="POST" action="{{ request.route_path('force-logout') }}"> +    {{ util.hidden_csrf_input() }} +    <button type="submit" class="btn btn-danger"><i class="bi bi-shield-lock-fill"></i> {{ _("page.my_profile.session_logout.button") }}</button> +  </form> + +  <hr> +    <h2>{{ _("page.my_profile.friends") }}</h2>    <ul class="list-group"> diff --git a/fietsboek/views/account.py b/fietsboek/views/account.py index 5400f0a..e353360 100644 --- a/fietsboek/views/account.py +++ b/fietsboek/views/account.py @@ -60,6 +60,7 @@ def do_create_account(request):      user = models.User(name=name, email=email_addr)      user.set_password(password) +    user.roll_session_secret()      request.dbsession.add(user)      actions.send_verification_token(request, user) diff --git a/fietsboek/views/user_data.py b/fietsboek/views/user_data.py index a7680e4..66c2075 100644 --- a/fietsboek/views/user_data.py +++ b/fietsboek/views/user_data.py @@ -4,6 +4,8 @@ import datetime  from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound  from pyramid.i18n import TranslationString as _  from pyramid.request import Request +from pyramid.response import Response +from pyramid.security import remember  from pyramid.view import view_config  from sqlalchemy import select @@ -48,18 +50,22 @@ def do_change_profile(request):      :rtype: pyramid.response.Response      """      password = request.params["password"] +    # Save the identity as request.identity will be None after changing the +    # password. +    identity = request.identity      if password:          try:              util.check_password_constraints(password, request.params["repeat-password"])          except ValueError as exc:              request.session.flash(request.localizer.translate(exc.args[0]))              return HTTPFound(request.route_url("user-data")) -        request.identity.set_password(request.params["password"]) +        identity.set_password(request.params["password"])      name = request.params["name"] -    if request.identity.name != name: -        request.identity.name = name +    if identity.name != name: +        identity.name = name      request.session.flash(request.localizer.translate(_("flash.personal_data_updated"))) -    return HTTPFound(request.route_url("user-data")) +    headers = remember(request, identity.authenticated_user_id()) +    return HTTPFound(request.route_url("user-data"), headers=headers)  @view_config(route_name="add-friend", permission="user", request_method="POST") @@ -176,3 +182,15 @@ def do_toggle_favourite(request: Request) -> dict:          return HTTPNotFound()      request.identity.toggle_favourite(track)      return {"favourite": request.identity in track.favourees} + + +@view_config(route_name="force-logout", permission="user", request_method="POST") +def do_force_logout(request: Request) -> Response: +    """Forces all sessions to be logged out. + +    :param request: The Pyramid request. +    :return: The HTTP response. +    """ +    request.identity.roll_session_secret() +    request.session.flash(request.localizer.translate(_("flash.sessions_logged_out"))) +    return HTTPFound(request.route_url("login")) diff --git a/tests/playwright/conftest.py b/tests/playwright/conftest.py index b17d457..aefe1ee 100644 --- a/tests/playwright/conftest.py +++ b/tests/playwright/conftest.py @@ -81,7 +81,7 @@ class Helper:              user.set_password("password")              self.dbaccess.add(user)              self.dbaccess.commit() -            self.dbaccess.refresh(user, ["id", "email"]) +            self.dbaccess.refresh(user, ["id", "email", "password", "session_secret"])              self.dbaccess.expunge(user)              self._johnny = user              return user | 
