From 0310f0f5421cb3984f947bb549866c1e0457ae5b Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Mon, 5 Dec 2022 12:14:14 -0700 Subject: [PATCH] Use app init enc key by default for all queries This can be updated later to allow users with cookies enabled to use a key that is unique to their session (if they want, not mandatory), but for now it makes more sense to just use a single key for all queries from all users. This should eliminate a lot of issues that users have reported where they are unable to decrypt queries or page elements due to an expired/renewed session key. --- app/__init__.py | 4 ++-- app/routes.py | 28 +++++++++++++++------------- app/utils/session.py | 2 +- test/conftest.py | 4 ++-- test/test_misc.py | 6 +++--- test/test_results.py | 6 +++--- 6 files changed, 26 insertions(+), 24 deletions(-) diff --git a/app/__init__.py b/app/__init__.py index a9b6f81..a2ef043 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -1,6 +1,6 @@ from app.filter import clean_query from app.request import send_tor_signal -from app.utils.session import generate_user_key +from app.utils.session import generate_key from app.utils.bangs import gen_bangs_json from app.utils.misc import gen_file_hash, read_config_bool from base64 import b64encode @@ -31,7 +31,7 @@ dot_env_path = ( if read_config_bool('WHOOGLE_DOTENV'): load_dotenv(dot_env_path) -app.default_key = generate_user_key() +app.enc_key = generate_key() if read_config_bool('HTTPS_ONLY'): app.config['SESSION_COOKIE_NAME'] = '__Secure-session' diff --git a/app/routes.py b/app/routes.py index c1bb56b..d48a387 100644 --- a/app/routes.py +++ b/app/routes.py @@ -22,7 +22,7 @@ from app.utils.misc import read_config_bool, get_client_ip, get_request_url, \ from app.utils.results import add_ip_card, bold_search_terms,\ add_currency_card, check_currency, get_tabs_content from app.utils.search import Search, needs_https, has_captcha -from app.utils.session import generate_user_key, valid_user_session +from app.utils.session import valid_user_session from bs4 import BeautifulSoup as bsoup from flask import jsonify, make_response, request, redirect, render_template, \ send_file, session, url_for, g @@ -67,11 +67,16 @@ def auth_required(f): def session_required(f): @wraps(f) def decorated(*args, **kwargs): - if (valid_user_session(session)): - g.session_key = session['key'] - else: + if not valid_user_session(session): session.pop('_permanent', None) - g.session_key = app.default_key + + # Note: This sets all requests to use the encryption key determined per + # instance on app init. This can be updated in the future to use a key + # that is unique for their session (session['key']) but this should use + # a config setting to enable the session based key. Otherwise there can + # be problems with searches performed by users with cookies blocked if + # a session based key is always used. + g.session_key = app.enc_key # Clear out old sessions invalid_sessions = [] @@ -130,14 +135,17 @@ def before_request_func(): if os.path.exists(app.config['DEFAULT_CONFIG']) else {} # Generate session values for user if unavailable - if (not valid_user_session(session)): + if not valid_user_session(session): session['config'] = default_config session['uuid'] = str(uuid.uuid4()) - session['key'] = generate_user_key() + session['key'] = app.enc_key # Establish config values per user session g.user_config = Config(**session['config']) + # Update user config if specified in search args + g.user_config = g.user_config.from_params(g.request_params) + if not g.user_config.url: g.user_config.url = get_request_url(request.url_root) @@ -193,9 +201,6 @@ def index(): session['error_message'] = '' return render_template('error.html', error_message=error_message) - # Update user config if specified in search args - g.user_config = g.user_config.from_params(g.request_params) - return render_template('index.html', has_update=app.config['HAS_UPDATE'], languages=app.config['LANGUAGES'], @@ -283,9 +288,6 @@ def autocomplete(): @session_required @auth_required def search(): - # Update user config if specified in search args - g.user_config = g.user_config.from_params(g.request_params) - search_util = Search(request, g.user_config, g.session_key) query = search_util.new_search_query() diff --git a/app/utils/session.py b/app/utils/session.py index 7aea933..8e1156b 100644 --- a/app/utils/session.py +++ b/app/utils/session.py @@ -4,7 +4,7 @@ from flask import current_app as app REQUIRED_SESSION_VALUES = ['uuid', 'config', 'key'] -def generate_user_key() -> bytes: +def generate_key() -> bytes: """Generates a key for encrypting searches and element URLs Args: diff --git a/test/conftest.py b/test/conftest.py index 64e49f5..a91a803 100644 --- a/test/conftest.py +++ b/test/conftest.py @@ -1,5 +1,5 @@ from app import app -from app.utils.session import generate_user_key +from app.utils.session import generate_key import pytest import random @@ -18,6 +18,6 @@ def client(): with app.test_client() as client: with client.session_transaction() as session: session['uuid'] = 'test' - session['key'] = generate_user_key() + session['key'] = app.enc_key session['config'] = {} yield client diff --git a/test/test_misc.py b/test/test_misc.py index 3d364af..bd923c3 100644 --- a/test/test_misc.py +++ b/test/test_misc.py @@ -2,7 +2,7 @@ from cryptography.fernet import Fernet from app import app from app.models.endpoint import Endpoint -from app.utils.session import generate_user_key, valid_user_session +from app.utils.session import generate_key, valid_user_session JAPAN_PREFS = 'uG-gGIJwHdqxl6DrS3mnu_511HlQcRpxYlG03Xs-' \ @@ -20,9 +20,9 @@ JAPAN_PREFS = 'uG-gGIJwHdqxl6DrS3mnu_511HlQcRpxYlG03Xs-' \ def test_generate_user_keys(): - key = generate_user_key() + key = generate_key() assert Fernet(key) - assert generate_user_key() != key + assert generate_key() != key def test_valid_session(client): diff --git a/test/test_results.py b/test/test_results.py index 994102b..d36f2a5 100644 --- a/test/test_results.py +++ b/test/test_results.py @@ -2,7 +2,7 @@ from bs4 import BeautifulSoup from app.filter import Filter from app.models.config import Config from app.models.endpoint import Endpoint -from app.utils.session import generate_user_key +from app.utils.session import generate_key from datetime import datetime from dateutil.parser import ParserError, parse from urllib.parse import urlparse @@ -11,7 +11,7 @@ from test.conftest import demo_config def get_search_results(data): - secret_key = generate_user_key() + secret_key = generate_key() soup = Filter(user_key=secret_key, config=Config(**demo_config)).clean( BeautifulSoup(data, 'html.parser')) @@ -132,7 +132,7 @@ def test_leading_slash_search(client): assert rv._status_code == 200 soup = Filter( - user_key=generate_user_key(), + user_key=generate_key(), config=Config(**demo_config), query=q ).clean(BeautifulSoup(rv.data, 'html.parser'))