def logout_session(self):
"""Delete user's current session and cookie"""
# Delete the session from Redis
try:
if self.session_id:
SessionCache.delete_session(self.id, self.session_id)
except:
current_app.logger.warning("User without session_id")
# If there is a cookie, try deleting the session in redis
cookie_data = request.cookies.get(
current_app.config.get("REMEMBER_COOKIE_NAME"))
if cookie_data:
s = Serializer(current_app.config["SECRET_KEY"])
try:
data = s.loads(cookie_data)
user_id = data["user_id"]
session_id = data["session_id"]
except:
current_app.logger.info("Corrupt cookie for user %s" % self.id)
return
if user_id and session_id:
SessionCache.delete_session(user_id, session_id)
current_app.logger.debug("Deleted cookie session %s" %
session_id)
def get_id(self, expiration=None):
"""Returns the id and session id used to identify a logged-in user"""
# Used exclusively by flask-login
if not expiration:
expiration = current_app.config.get("SESSION_EXPIRATION")
if not self.is_authenticated:
current_app.logger.info(
"Cannot generate token because user not authenticated")
return None
try:
session_id = self.session_id
if not session_id:
session_id = SessionCache.create_session(
self.id,
expiration=current_app.config.get("SESSION_EXPIRATION"))
except:
session_id = SessionCache.create_session(
self.id,
expiration=current_app.config.get("SESSION_EXPIRATION"))
# flask-login handles encryption of this
token = "%(user_id)s-%(session_id)s" % {
"user_id": self.id,
"session_id": session_id
}
return token
def get_all_sessions(self):
# {session_id => {"remote_ip": "str", "last_used": utctimestamp}}
# Get keys
keys = SessionCache.get_all_sessions(self.id)
output = {}
for key in keys:
# Key not guaranteed to be unique across users
output[key] = SessionCache.get_session_info(self.id, key)
return output
def load_session_id(token):
"""Load user session as opposite of get_id function"""
# used exclusively by flask-login
try:
user_id, session_id = token.split("-")
except:
return None
if not user_id or not session_id:
return None
if SessionCache.validate_session(user_id, session_id):
user = User.query.get(user_id)
user.set_session_id(session_id)
return user
return None
def get_auth_token(self):
"""Cookie info. Must be secure."""
s = Serializer(current_app.config["SECRET_KEY"],
current_app.config["COOKIE_EXPIRATION"])
current_app.logger.debug("Generating auth token for user %s" % self.id)
if not self.is_authenticated:
raise Exception("User not authenticated")
return s.dumps({
"user_id":
self.id,
"session_id":
SessionCache.create_session(
self.id, expiration=current_app.config["COOKIE_EXPIRATION"])
})
def load_session_token(token):
"""Load cookie session"""
s = Serializer(current_app.config["SECRET_KEY"],
current_app.config.get("SESSION_EXPIRATION"))
try:
data = s.loads(token)
except:
return None
if SessionCache.validate_session(data.get("user_id", -1),
data.get("session_id", "-1")):
user = User.query.get(data["user_id"])
user.set_session_id(data["session_id"])
current_app.logger.debug("Loading user %s from cookie session %s" %
(user.id, user.session_id))
return user
return None
def verify_api_token(token):
"""Validate a time-based token (from single page apps)"""
s = Serializer(current_app.config["SECRET_KEY"])
try:
data = s.loads(token)
except:
return None
if not data.get("id") or not data.get("session_id"):
return None
if SessionCache.validate_session(data.get("id"),
data.get("session_id")):
user = User.query.get(data.get("id"))
if user is not None:
user.set_session_id(data.get("session_id"))
return user
return None
def logout_all_sessions(self):
"""Log out all user sessions"""
current_app.logger.info("Logged user %s out of all sessions" % self.id)
SessionCache.delete_all_sessions(self.id)
def get_target_session(self, session_id):
"""Returns info from a target session key"""
return SessionCache.get_session_info(self.id, session_id)
def logout_target_session(self, session_id):
"""Delete user's current session and cookie"""
SessionCache.delete_session(self.id, session_id)