From 4a244dd5d7ccf353061cafa0d0a97f7f04f59083 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Mon, 31 Oct 2022 09:18:25 +0100
Subject: Replace manual cookies with flask session.

---
 main.py | 43 ++++++++++++++-----------------------------
 1 file changed, 14 insertions(+), 29 deletions(-)

(limited to 'main.py')

diff --git a/main.py b/main.py
index 6cd3355..f1c7b27 100644
--- a/main.py
+++ b/main.py
@@ -16,6 +16,7 @@ from html_render import HTML, render_document
 
 from flask import (
     Flask,
+    session,
     request,
     redirect,
     url_for,
@@ -246,48 +247,40 @@ def index_page(username):
                                      ))
 
 
-valid_session_cookies: dict[str, str] = {}
-
 passwords: Passwords = password.Passwords(cast(os.PathLike, 'passwords.json'))
 
 
-def is_logged_in():
-    c = request.cookies.get('session')
-    if c and valid_session_cookies.get(c):
-        return valid_session_cookies[c]
-    return False
-
-
 app = Flask(__name__)
+app.secret_key = 'THIS IS A RANDOM STRING'
 
 
 @app.route('/')
 def index():
-    login = is_logged_in()
-    if not login:
+    username = session.get('username')
+    if not username:
         return redirect(url_for('login_page_', returnto=request.path))
     if id := request.args.get('id'):
         print("id =", id)
         response = response_for(''.join(id).replace(' ', '+'),
-                                login)
+                                username)
     else:
-        response = index_page(login)
+        response = index_page(username)
     return response
 
 
 @app.route('/search')
 def search_page_():
-    login = is_logged_in()
-    if not login:
+    username = session.get('username')
+    if not username:
         return redirect(url_for('login_page_', returnto=request.path))
     return search_page(request.args.get('q'),
                        request.args.get('by'),
-                       login)
+                       username)
 
 
 @app.route('/login', methods=['GET'])
 def login_page_():
-    if not is_logged_in():
+    if 'username' not in session:
         body = login_page(request.args.get('returnto'))
         return render_document(page_base(title='Login', body=body))
     else:
@@ -297,8 +290,7 @@ def login_page_():
 
 @app.route('/login', methods=['POST'])
 def login_form():
-    global valid_session_cookies
-    logged_in = is_logged_in()
+    logged_in = session.get('username')
 
     resp = redirect(request.args.get('returnto', url_for('index')))
     if logged_in:
@@ -308,9 +300,7 @@ def login_form():
     username = request.form['username']
     password = request.form['password']
     if passwords.validate(username, password):
-        unique = str(uuid4())
-        valid_session_cookies[unique] = username
-        resp.set_cookie('session', unique)
+        session['username'] = username
     else:
         flash('Invalid username or password')
     return resp
@@ -318,16 +308,11 @@ def login_form():
 
 @app.route('/logout', methods=['POST'])
 def logout_form():
-    global valid_session_cookies
-    logged_in = is_logged_in()
-    if not logged_in:
+    if not session.get('username'):
         flash('Not logged in')
         return redirect(url_for('index'))
-    c = request.cookies.get('session')
-    if valid_session_cookies.get(c):
-        del valid_session_cookies[c]
+    session.pop('username', None)
     resp = redirect(url_for('index'))
-    resp.set_cookie('session', '')
     return resp
 
 
-- 
cgit v1.2.3