search

olin-build / ABE

Amorphous Blob of Events
https://abe.olin.build/
GNU Affero General Public License v3.0
7 stars 1 forks source link

Adds an authorized cookie #222

Closed jaredbriskman closed 6 years ago

jaredbriskman commented 6 years ago

Closes #215 .

After discussion, decided to implement a cookie with a shared secret for simplicity. Currently, there is no expiry or timestamp on the cookie, although this could be added. I think this all will change once we're able to move to a security domain model with users though.

Going to bring up a review app for a little more testing first.

(Also,tried to upgrade to flask 1.0, now #221 )

jaredbriskman commented 6 years ago

The review app behaves as expected too. When this is merged, the environment variable SHARED_SECRET may need to be set on existing heroku apps.

As implemented, this sets an app_secret cookie if a user ever passes an IP authentication check. This does mean that if a user never does anything that requires auth, they won't get the cookie, but this should be mostly fixed with #75 , where GET events will require an auth check.

That's still slightly different than anyone who visits the site on olin's campus getting an auth cookie, but I think it's alright.

jaredbriskman commented 6 years ago

After discussion with @songbird175 , added c78d26c to help with #103 . Now auth_check is a separate function from the edit_auth_required decorator, which should make integration with more nuanced behavior than throwing 401 errors simpler, while still setting the secret cookie if the check is passed.