3060 active user session

tdrs-backend/tdpservice/core/custom_session_engine.py

@@ -0,0 +1,59 @@
+"""Custom session engine for TDP."""
+
+from django.contrib.sessions.backends import signed_cookies
+from django.core import signing
+import datetime
+from django.conf import settings
+
+class SessionStore(signed_cookies.SessionStore):
+    """Custom session engine for TDP."""
+
+    def __init__(self, session_key=None):
+        """Initialize the custom session engine."""
+        super().__init__(session_key)
+
+    def load(self):
+        """Load the session data from the database."""
+        """
+        Load the data from the key itself instead of fetching from some
+        external data store. Opposite of _get_session_key(), raise BadSignature
+        if signature fails.
+        """
+
+        try:
+            return signing.loads(
+                self.session_key,
+                serializer=self.serializer,
+                # This doesn't handle non-default expiry dates, see #19201
+                max_age=datetime.timedelta(seconds=settings.SIGNED_COOKIE_EXPIRES),
+                salt="django.contrib.sessions.backends.signed_cookies",
+            )
+        except Exception:
+            # BadSignature, ValueError, or unpickling exceptions. If any of
+            # these happen, reset the session.
+            return {}
+
+    def cycle_key(self):
+        """Cycle the session key."""
+        super().cycle_key()
+
+    def create(self):
+        """Create a new session."""
+        # first check if the session exists
+        super().create()
+
+    def save(self, must_create=False):
+        """Save the session data."""
+        super().save(must_create)
+
+    def exists(self, session_key):
+        """Check if the session exists."""
+        return super().exists(session_key)
+
+    def delete(self, session_key=None):
+        """Delete the session data."""
+        super().delete(session_key)
+
+    def _get_session_key(self):
+        """Get the session key."""
+        return super()._get_session_key()

tdrs-backend/tdpservice/data_files/admin/admin.py

@@ -1,7 +1,6 @@
 """Admin class for DataFile objects."""
 from django.contrib import admin
 from tdpservice.core.utils import ReadOnlyAdminMixin
-# from tdpservice.core.filters import custom_filter_title
 from tdpservice.data_files.models import DataFile, LegacyFileTransfer
 from tdpservice.parsers.models import DataFileSummary, ParserError
 from tdpservice.data_files.admin.filters import DataFileSummaryPrgTypeFilter, LatestReparseEvent, VersionFilter

tdrs-backend/tdpservice/security/utils.py

@@ -13,6 +13,7 @@
 
 def token_is_valid(token):
     """Check if token is valid."""
+    # TODO: Add logging
     utc_now = datetime.now()
     utc_now = utc_now.replace(tzinfo=pytz.utc)
     if token.created < (utc_now - timedelta(hours=settings.TOKEN_EXPIRATION_HOURS)):

tdrs-backend/tdpservice/settings/common.py

@@ -281,10 +281,12 @@ class Common(Configuration):
     )
 
     # Sessions
-    SESSION_ENGINE = "django.contrib.sessions.backends.signed_cookies"
+    SESSION_ENGINE = "tdpservice.core.custom_session_engine"
+    #SIGNED_COOKIE_EXPIRES = 60 * 60 * 24  # 24 hours
     SESSION_COOKIE_HTTPONLY = True
+    SESSION_SAVE_EVERY_REQUEST = True
     SESSION_EXPIRE_AT_BROWSER_CLOSE = True
-    SESSION_COOKIE_AGE = 15 * 60  # 15 minutes
+    SESSION_COOKIE_AGE = 10  # 15 minutes
     # The CSRF token Cookie holds no security benefits when confined to HttpOnly.
     # Setting this to false to allow the frontend to include it in the header
     # of API POST calls to prevent false negative authorization errors.
@@ -551,4 +553,8 @@ class Common(Configuration):
     IGNORE_DUPLICATE_ERROR_PRECEDENCE = os.getenv("IGNORE_DUPLICATE_ERROR_PRECEDENCE", False)
     BULK_CREATE_BATCH_SIZE = os.getenv("BULK_CREATE_BATCH_SIZE", 10000)
     MEDIAN_LINE_PARSE_TIME = os.getenv("MEDIAN_LINE_PARSE_TIME", 0.0005574226379394531)
+
+    CSRF_COOKIE_SAMESITE = None
+    SESSION_COOKIE_SAMESITE = None
+
     BYPASS_OFA_AUTH = os.getenv("BYPASS_OFA_AUTH", False)