From 24ed36cc1b5ee04c268ef98188b5ba767935c70c Mon Sep 17 00:00:00 2001 From: Alexis Lahouze Date: Wed, 13 Jan 2016 12:50:57 +0100 Subject: [PATCH] Change session token generation mecanism. --- accountant/api/models/users.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/accountant/api/models/users.py b/accountant/api/models/users.py index fc8ee4e..3f23dd8 100644 --- a/accountant/api/models/users.py +++ b/accountant/api/models/users.py @@ -16,7 +16,7 @@ """ # vim: set tw=80 ts=4 sw=4 sts=4: from passlib.hash import sha256_crypt as crypt -from itsdangerous import (TimedJSONWebSignatureSerializer as Serializer, +from itsdangerous import (URLSafeTimedSerializer as Serializer, BadSignature, SignatureExpired) from flask import current_app as app @@ -47,8 +47,9 @@ class User(UserMixin, db.Model): def verify_password(self, password): return crypt.verify(password, self.password) - def generate_auth_token(self, expiration=600): - serializer = Serializer(app.config['SECRET_KEY'], expires_in=expiration) + def generate_auth_token(self): + serializer = Serializer(app.secret_key) + return serializer.dumps({'id': self.id}) @classmethod @@ -56,7 +57,7 @@ class User(UserMixin, db.Model): serializer = Serializer(app.config['SECRET_KEY']) try: - data = serializer.loads(token) + data = serializer.loads(token, max_age=app.config["SESSION_TTL"]) except SignatureExpired: return None except BadSignature: