Make CSRF expiration configurable and increase default value

Fix typing
Update deps
2023-06-09 22:22:37 +02:00 · 2023-06-09 22:22:12 +02:00 · 2023-06-09 21:58:23 +02:00
4 changed files with 636 additions and 507 deletions
--- a/app/config.py
+++ b/app/config.py
@ -124,6 +124,7 @@ class Config(pydantic.BaseModel):
    key_path: str | None = None

    session_timeout: int = 3600 * 24 * 3  # in seconds, 3 days by default
+    csrf_token_exp: int = 3600

    disabled_notifications: list[str] = []

@ -263,7 +264,7 @@ def verify_csrf_token(
    if redirect_url:
        please_try_again = f'<a href="{redirect_url}">please try again</a>'
    try:
-        csrf_serializer.loads(csrf_token, max_age=1800)
+        csrf_serializer.loads(csrf_token, max_age=CONFIG.csrf_token_exp)
    except (itsdangerous.BadData, itsdangerous.SignatureExpired):
        logger.exception("Failed to verify CSRF token")
        raise HTTPException(
--- a/app/models.py
+++ b/app/models.py
@ -1,4 +1,5 @@
 import enum
+from datetime import datetime
 from typing import Any
 from typing import Optional
 from typing import Union
@ -436,7 +437,7 @@ class OutboxObjectAttachment(Base):
    outbox_object_id = Column(Integer, ForeignKey("outbox.id"), nullable=False)

    upload_id = Column(Integer, ForeignKey("upload.id"), nullable=False)
-    upload = relationship(Upload, uselist=False)
+    upload: Mapped["Upload"] = relationship(Upload, uselist=False)


 class IndieAuthAuthorizationRequest(Base):
@ -459,7 +460,9 @@ class IndieAuthAccessToken(Base):
    __tablename__ = "indieauth_access_token"

    id = Column(Integer, primary_key=True, index=True)
-    created_at = Column(DateTime(timezone=True), nullable=False, default=now)
+    created_at: Mapped[datetime] = Column(
+        DateTime(timezone=True), nullable=False, default=now
+    )

    # Will be null for personal access tokens
    indieauth_authorization_request_id = Column(
@ -470,9 +473,9 @@ class IndieAuthAccessToken(Base):
        uselist=False,
    )

-    access_token = Column(String, nullable=False, unique=True, index=True)
+    access_token: Mapped[str] = Column(String, nullable=False, unique=True, index=True)
    refresh_token = Column(String, nullable=True, unique=True, index=True)
-    expires_in = Column(Integer, nullable=False)
+    expires_in: Mapped[int] = Column(Integer, nullable=False)
    scope = Column(String, nullable=False)
    is_revoked = Column(Boolean, nullable=False, default=False)
    was_refreshed = Column(Boolean, nullable=False, default=False, server_default="0")
--- a/app/uploads.py
+++ b/app/uploads.py
@ -60,7 +60,7 @@ async def save_upload(db_session: AsyncSession, f: UploadFile) -> models.Upload:
            destination_image.putdata(original_image.getdata())
            destination_image.save(
                dest_filename,
-                format=_original_image.format,
+                format=_original_image.format,  # type: ignore
            )

            with open(dest_filename, "rb") as dest_f:
--- a/poetry.lock
+++ b/poetry.lock
Author	SHA1	Message	Date
Thomas Sileo	3c07494809	Make CSRF expiration configurable and increase default value	2023-06-09 22:22:37 +02:00
Thomas Sileo	2433fa01cd	Fix typing	2023-06-09 22:22:12 +02:00
Thomas Sileo	3169890a39	Update deps	2023-06-09 21:58:23 +02:00