Use 'permanent' session with a timeout

README.md

@@ -51,9 +51,12 @@ After=network.target
 [Service]
 User=divault
 WorkingDirectory=/srv/staticshield
-Environment=FLASK_SERVE_DIR="/srv/a_static_website/html"
+#StandardOutput=file:/srv/logs/staticshield.log
+Environment=FLASK_SERVE_DIR="/srv/some_static_website/html"
 Environment=FLASK_MOTHERSHIP="https://api.example.com/api/staticshield"
 Environment=FLASK_SESSION_COOKIE_NAME="staticshield"
+# Max session length of 2h
+Environment=FLASK_PERMANENT_SESSION_LIFETIME=7200
 ExecStart=/application/venvs/staticshield/bin/gunicorn -b localhost:8000 -w 4 staticshield:app
 #ExecStart=/application/venvs/staticshield/bin/gunicorn -b unix:staticshield.sock -m 007 -w 4 staticshield:app
 Restart=always

staticshield.py

@@ -26,10 +26,13 @@ dictConfig({
 
 app = Flask(__name__)
 app.config.from_prefixed_env()
-app.config['SESSION_PERMANENT'] = False
+app.config['SESSION_PERMANENT'] = True
 app.config['SESSION_TYPE'] = 'filesystem'
 Session(app)
 
+# Verify the required configuration
+# SERVE_DIR: Base dir of the files we want to serve; Flask will take care not to escape this dir
+# MOTHERSHIP: Mothership server and login-url, which will redirect here with a sessionstart/SEKRIT
 config_vars = ['SERVE_DIR', 'MOTHERSHIP']
 for config_var in config_vars:
     if config_var not in app.config:
@@ -38,12 +41,6 @@ for config_var in config_vars:
     else:
         app.logger.info('Config env %s with value "%s"', config_var, app.config[config_var])
 
-# Base dir of the files we want to serve; Flask will take care not to escape this dir
-SERVE_DIR = app.config['SERVE_DIR']
-
-# Mothership server and login-url, which will redirect here with a sessionstart/SEKRIT
-MOTHERSHIP = app.config['MOTHERSHIP']
-
 
 @app.route('/<path:path>', methods=['GET', 'POST'])
 def all_routes(path):
@@ -70,7 +67,7 @@ def all_routes(path):
         # Mothership will invalidate this secret token upon handling this request to prevent replay
         try:
             app.logger.info('verifying token "%s"', secret)
-            with urllib.request.urlopen(f'{MOTHERSHIP}/verify/{secret}') as response:
+            with urllib.request.urlopen(f'{app.config["MOTHERSHIP"]}/verify/{secret}') as response:
                 challenge_response = response.read()
                 print(challenge_response)
                 try:
@@ -102,13 +99,13 @@ def all_routes(path):
         callback_url = f'{request.host_url}sessionstart/'
         # No session yet, redirect to mothership
         app.logger.info('Redirecting to mothership with %s', original_url)
-        return redirect(f'{MOTHERSHIP}/login?redirect={original_url}&callback={callback_url}')
+        return redirect(f'{app.config["MOTHERSHIP"]}/login?redirect={original_url}&callback={callback_url}')
 
-    file_path = os.path.join(SERVE_DIR, path)
+    file_path = os.path.join(app.config['SERVE_DIR'], path)
     if os.path.isfile(file_path):
         app.logger.info('Serving file %s', str(file_path))
         # This takes a base directory and a path, and ensures that the path is contained in the directory, which makes it safe to accept user-provided paths.
-        return send_from_directory(SERVE_DIR, path)
+        return send_from_directory(app.config['SERVE_DIR'], path)
     else:
         app.logger.error('File not found: %s', str(file_path))
         return 'Sorry, 404'