Initial commit

Author: stevemccartney

.gitignore

@@ -0,0 +1,147 @@
+# Created by .ignore support plugin (hsz.mobi)
+### Python template
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+.idea/
+.vscode/
+virtualenv/
+docs/build_*
+.DS_Store

LICENSE

@@ -0,0 +1,13 @@
+Copyright 2020 Steve McCartney
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

README.md

@@ -0,0 +1,44 @@
+# Flask-SSS
+
+Server-Side Sessions for Flask implemented as a SessionInterface.
+
+## Data model
+
+The user_id field allows for users to either list their open sessions and close other sessions they have open.  It also enables administrators to log out all sessions for a user that needs to be suspended or deleted.
+
+## Usage
+
+```python
+from flask import Flask
+from flask_sss import SQLAlchemySessionInterface
+from flask_sqlalchemy import SQLAlchemy
+from sqlalchemy import Column, String, DateTime, Text
+from datetime import datetime
+import uuid
+
+app = Flask(__name__)
+db = SQLAlchemy(app)
+
+class UserSession(db.Model):
+    __tablename__ = "user_session"
+
+    id = Column(String(length=255), primary_key=True)
+    session_id = Column(String(length=255), unique=True)
+    user_id = Column(String(length=255), nullable=True)
+    created_at = Column(DateTime(), nullable=False, default=datetime.utcnow)
+    updated_at = Column(DateTime(), nullable=False, default=datetime.utcnow, onupdate=datetime.utcnow)
+    expires_at = Column(DateTime(), nullable=False)
+    data = Column(Text(), nullable=False)
+
+def make_id():
+    return str(uuid.uuid4())
+
+app.session_interface = SQLAlchemySessionInterface(
+    orm_session=db.session,
+    sql_session_model=UserSession,
+    make_id=make_id
+)
+```
+## Notes
+
+A daily process to remove expired sessions is recommended to stop the session list expanding over time.

flask_sss/__init__.py

@@ -0,0 +1,154 @@
+"""
+A Flask SessionInterface implementing server-side sessions stored in SQLAlchemy
+"""
+import base64
+import os
+from datetime import datetime, timezone
+from typing import Callable, Protocol, Optional, Type, Dict, Any
+
+from flask import Flask, Response, Request, current_app
+from flask.json.tag import TaggedJSONSerializer
+from flask.sessions import SessionInterface, SessionMixin
+from sqlalchemy.orm import Session
+from werkzeug.datastructures import CallbackDict
+
+
+class UserSessionTableProtocol(Protocol):
+    """
+    Defines the minimum set of fields necessary for a declarative SQLAlchemy model to work with the SessionInterface
+    """
+
+    id: str
+    session_id: str
+    expires_at: datetime
+    data: str
+    user_id: Optional[str]
+
+
+class SerializerProtocol(Protocol):
+    def dumps(self, value: Dict[Any, Any]) -> str:
+        pass
+
+    def loads(self, value: str) -> Dict[Any, Any]:
+        pass
+
+
+def default_mint_session_id() -> str:
+    return str(base64.b32encode(os.urandom(30)), encoding="utf8")
+
+
+class ServerSideSession(CallbackDict, SessionMixin):
+    """Baseclass for server-side based sessions."""
+
+    def __init__(self, sid: str, initial: Optional[Dict[Any, Any]] = None, permanent: Optional[bool] = None) -> None:
+        def on_update(s: ServerSideSession) -> None:
+            s.modified = True
+
+        super().__init__(initial, on_update)
+        self.sid = sid
+        self.modified = False
+        if permanent:
+            self.permanent = permanent
+
+
+class SQLAlchemySessionInterface(SessionInterface):
+    session_class = ServerSideSession
+
+    def __init__(
+        self,
+        orm_session: Session,
+        sql_session_model: Type,
+        make_id: Callable[[], str],
+        make_session_id: Callable[[], str] = default_mint_session_id,
+        permanent: Optional[bool] = None,
+        serializer: Optional[SerializerProtocol] = None,
+    ):
+        self.permanent = permanent
+        self.make_id = make_id
+        self.make_session_id = make_session_id
+        if serializer is None:
+            serializer = TaggedJSONSerializer()
+        self.serializer = serializer
+        self.orm_session = orm_session
+        self.sql_session_model = sql_session_model
+
+    def open_session(self, app: Flask, request: Request):
+        """This method has to be implemented and must either return ``None``
+        in case the loading failed because of a configuration error or an
+        instance of a session object which implements a dictionary like
+        interface + the methods and attributes on :class:`SessionMixin`.
+        """
+        sid = request.cookies.get(app.session_cookie_name)
+        if not sid:
+            sid = self.make_session_id()
+            return self.session_class(sid=sid, permanent=self.permanent)
+
+        saved_session = (
+            self.orm_session.query(self.sql_session_model).filter(self.sql_session_model.session_id == sid).first()
+        )
+        if saved_session and saved_session.expires_at <= datetime.now(timezone.utc):
+            # delete the saved session if it has expired
+            self.orm_session.delete(saved_session)
+            self.orm_session.commit()
+            saved_session = None
+
+        if saved_session:
+            try:
+                json_data = saved_session.data
+                data = self.serializer.loads(json_data)
+                return self.session_class(sid=sid, initial=data)
+            except Exception:
+                return self.session_class(sid=self.make_session_id(), permanent=self.permanent)
+
+        return self.session_class(sid=sid, permanent=self.permanent)
+
+    def save_session(self, app: Flask, session: ServerSideSession, response: Response) -> None:
+        """This is called for actual sessions returned by :meth:`open_session`
+        at the end of the request.  This is still called during a request
+        context so if you absolutely need access to the request you can do
+        that.
+        """
+        domain = self.get_cookie_domain(app)
+        path = self.get_cookie_path(app)
+        sid = session.sid
+        saved_session = (
+            self.orm_session.query(self.sql_session_model).filter(self.sql_session_model.session_id == sid).first()
+        )
+        if not session:
+            if session.modified:
+                if saved_session:
+                    self.orm_session.delete(saved_session)
+                    self.orm_session.commit()
+                response.delete_cookie(app.session_cookie_name, domain=domain, path=path)
+            return
+
+        if not self.should_set_cookie(app, session):
+            return
+
+        httponly = self.get_cookie_httponly(app)
+        secure = self.get_cookie_secure(app)
+        expires = self.get_expiration_time(app, session)
+
+        val = self.serializer.dumps(dict(session))
+        if saved_session:
+            saved_session.data = val
+            saved_session.expiry = expires
+            self.orm_session.commit()
+        else:
+            new_session: UserSessionTableProtocol = self.sql_session_model(
+                id=self.make_id(), session_id=session.sid, data=val, expires_at=expires
+            )
+            self.orm_session.add(new_session)
+            self.orm_session.commit()
+
+        session_id = session.sid
+        response.set_cookie(
+            app.session_cookie_name,
+            session_id,
+            expires=expires,
+            httponly=httponly,
+            domain=domain,
+            path=path,
+            secure=secure,
+            samesite=current_app.config.get("SESSION_COOKIE_SAMESITE", "Strict"),
+        )

flask_sss/__version__.py

@@ -0,0 +1,7 @@
+__title__ = 'Flask-SSS'
+__description__ = 'Server-Side Sessions for Flask implemented as a SessionInterface.'
+__version__ = '0.1.0'
+__author__ = 'Steve McCartney'
+__author_email__ = '[email protected]'
+__license__ = 'Apache 2.0'
+__url__ = 'https://github.com/stevemccartney/flask-sss'