Handle explicit 'no' from the other side

README.md

@@ -11,6 +11,7 @@ Create a file (e.g., called `run.sh`) with the following:
 export FLASK_SERVE_DIR="/home/YOURUSER/workspace/somesite/build/html"
 export FLASK_MOTHERSHIP="http://localhost:8888/api/staticshield"
 export FLASK_SESSION_COOKIE_NAME="staticshield"
+export FLASK_PERMANENT_SESSION_LIFETIME=7200
 
 flask --app staticshield run
 ```
@@ -25,7 +26,7 @@ ruff check --fix --select I .
 
 ## Deploying
 
-Create a virtualenv with flask, gunicorn:
+Create a virtualenv with Flask and gunicorn to run it:
 
 ```bash
 # Example, create wherever you like

staticshield.py

@@ -56,6 +56,8 @@ def all_routes(path):
 
         # The path we should have gotten back is of the format:
         # /sessionstart/SEKRIT_TOKEN/<the_url_to_redirect_on_here_afterwards>
+        # or, if the request is denied by the mothership:
+        # /sessionstart/denied
         secret_and_redirect = path.split('sessionstart/')[1]
         secret_redirect_split = secret_and_redirect.split('/')
         secret = secret_redirect_split[0]
@@ -63,6 +65,10 @@ def all_routes(path):
         if len(secret_redirect_split) > 1:
             redirect_path = '/'.join(secret_redirect_split[1:])
 
+        if secret == 'denied':
+            # Mother says no
+            return 'Unable to set up session', 403
+
         # Ask the mothership if the secret is known to them, to prevent someone from just making up a URL
         # Mothership will invalidate this secret token upon handling this request to prevent replay
         try: