forked from CGM_Public/pretix_original
Pin sessions to the user agent in use
This commit is contained in:
Raphael Michel
@@ -1,12 +1,11 @@
|
|||||||
import time
|
|
||||||
|
|
||||||
from django.conf import settings
|
|
||||||
from django.contrib.auth import logout
|
|
||||||
from rest_framework.exceptions import PermissionDenied
|
from rest_framework.exceptions import PermissionDenied
|
||||||
from rest_framework.permissions import SAFE_METHODS, BasePermission
|
from rest_framework.permissions import SAFE_METHODS, BasePermission
|
||||||
|
|
||||||
from pretix.base.models import Event
|
from pretix.base.models import Event
|
||||||
from pretix.base.models.organizer import Organizer, TeamAPIToken
|
from pretix.base.models.organizer import Organizer, TeamAPIToken
|
||||||
|
from pretix.helpers.security import (
|
||||||
|
SessionInvalid, SessionReauthRequired, assert_session_valid,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
class EventPermission(BasePermission):
|
class EventPermission(BasePermission):
|
||||||
@@ -24,16 +23,13 @@ class EventPermission(BasePermission):
|
|||||||
required_permission = None
|
required_permission = None
|
||||||
|
|
||||||
if request.user.is_authenticated:
|
if request.user.is_authenticated:
|
||||||
# If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
|
try:
|
||||||
if not settings.PRETIX_LONG_SESSIONS or not request.session.get('pretix_auth_long_session', False):
|
# If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
|
||||||
last_used = request.session.get('pretix_auth_last_used', time.time())
|
assert_session_valid(request)
|
||||||
if time.time() - request.session.get('pretix_auth_login_time', time.time()) > settings.PRETIX_SESSION_TIMEOUT_ABSOLUTE:
|
except SessionInvalid:
|
||||||
logout(request)
|
return False
|
||||||
request.session['pretix_auth_login_time'] = 0
|
except SessionReauthRequired:
|
||||||
return False
|
return False
|
||||||
if time.time() - last_used > settings.PRETIX_SESSION_TIMEOUT_RELATIVE:
|
|
||||||
return False
|
|
||||||
request.session['pretix_auth_last_used'] = int(time.time())
|
|
||||||
|
|
||||||
perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken)
|
perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken)
|
||||||
else request.user)
|
else request.user)
|
||||||
|
|||||||
@@ -1,4 +1,3 @@
|
|||||||
import time
|
|
||||||
from urllib.parse import quote, urljoin, urlparse
|
from urllib.parse import quote, urljoin, urlparse
|
||||||
|
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
@@ -11,6 +10,9 @@ from django.utils.encoding import force_str
|
|||||||
from django.utils.translation import ugettext as _
|
from django.utils.translation import ugettext as _
|
||||||
|
|
||||||
from pretix.base.models import Event, Organizer
|
from pretix.base.models import Event, Organizer
|
||||||
|
from pretix.helpers.security import (
|
||||||
|
SessionInvalid, SessionReauthRequired, assert_session_valid,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
class PermissionMiddleware(MiddlewareMixin):
|
class PermissionMiddleware(MiddlewareMixin):
|
||||||
@@ -64,18 +66,15 @@ class PermissionMiddleware(MiddlewareMixin):
|
|||||||
if not request.user.is_authenticated:
|
if not request.user.is_authenticated:
|
||||||
return self._login_redirect(request)
|
return self._login_redirect(request)
|
||||||
|
|
||||||
if not settings.PRETIX_LONG_SESSIONS or not request.session.get('pretix_auth_long_session', False):
|
try:
|
||||||
# If this logic is updated, make sure to also update the logic in pretix/api/auth/permission.py
|
# If this logic is updated, make sure to also update the logic in pretix/api/auth/permission.py
|
||||||
last_used = request.session.get('pretix_auth_last_used', time.time())
|
assert_session_valid(request)
|
||||||
if time.time() - request.session.get('pretix_auth_login_time', time.time()) > settings.PRETIX_SESSION_TIMEOUT_ABSOLUTE:
|
except SessionInvalid:
|
||||||
logout(request)
|
logout(request)
|
||||||
request.session['pretix_auth_login_time'] = 0
|
return self._login_redirect(request)
|
||||||
return self._login_redirect(request)
|
except SessionReauthRequired:
|
||||||
if url_name != 'user.reauth':
|
if url_name != 'user.reauth':
|
||||||
if time.time() - last_used > settings.PRETIX_SESSION_TIMEOUT_RELATIVE:
|
return redirect(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path()))
|
||||||
return redirect(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path()))
|
|
||||||
|
|
||||||
request.session['pretix_auth_last_used'] = int(time.time())
|
|
||||||
|
|
||||||
if 'event' in url.kwargs and 'organizer' in url.kwargs:
|
if 'event' in url.kwargs and 'organizer' in url.kwargs:
|
||||||
request.event = Event.objects.filter(
|
request.event = Event.objects.filter(
|
||||||
|
|||||||
37
src/pretix/helpers/security.py
Normal file
37
src/pretix/helpers/security.py
Normal file
@@ -0,0 +1,37 @@
|
|||||||
|
import hashlib
|
||||||
|
import time
|
||||||
|
|
||||||
|
from django.conf import settings
|
||||||
|
|
||||||
|
|
||||||
|
class SessionInvalid(Exception):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
class SessionReauthRequired(Exception):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
def get_user_agent_hash(request):
|
||||||
|
return hashlib.sha256(request.META['HTTP_USER_AGENT'].encode()).hexdigest()
|
||||||
|
|
||||||
|
|
||||||
|
def assert_session_valid(request):
|
||||||
|
if not settings.PRETIX_LONG_SESSIONS or not request.session.get('pretix_auth_long_session', False):
|
||||||
|
last_used = request.session.get('pretix_auth_last_used', time.time())
|
||||||
|
if time.time() - request.session.get('pretix_auth_login_time',
|
||||||
|
time.time()) > settings.PRETIX_SESSION_TIMEOUT_ABSOLUTE:
|
||||||
|
request.session['pretix_auth_login_time'] = 0
|
||||||
|
raise SessionInvalid()
|
||||||
|
if time.time() - last_used > settings.PRETIX_SESSION_TIMEOUT_RELATIVE:
|
||||||
|
raise SessionReauthRequired()
|
||||||
|
|
||||||
|
if 'HTTP_USER_AGENT' in request.META:
|
||||||
|
if 'pinned_user_agent' in request.session:
|
||||||
|
if request.session.get('pinned_user_agent') != get_user_agent_hash(request):
|
||||||
|
raise SessionInvalid()
|
||||||
|
else:
|
||||||
|
request.session['pinned_user_agent'] = get_user_agent_hash(request)
|
||||||
|
|
||||||
|
request.session['pretix_auth_last_used'] = int(time.time())
|
||||||
|
return True
|
||||||
@@ -598,3 +598,12 @@ class SessionTimeOutTest(TestCase):
|
|||||||
self.assertEqual(response.status_code, 200)
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
assert self.client.session['pretix_auth_last_used'] > t1
|
assert self.client.session['pretix_auth_last_used'] > t1
|
||||||
|
|
||||||
|
def test_pinned_user_agent(self):
|
||||||
|
self.client.defaults['HTTP_USER_AGENT'] = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36'
|
||||||
|
response = self.client.get('/control/')
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
self.client.defaults['HTTP_USER_AGENT'] = 'Mozilla/5.0 (X11; Linux x86_64) Something else'
|
||||||
|
response = self.client.get('/control/')
|
||||||
|
self.assertEqual(response.status_code, 302)
|
||||||
|
|||||||
Reference in New Issue
Block a user