diff --git a/README.md b/README.md index 11426ea..9ff6073 100644 --- a/README.md +++ b/README.md @@ -23,4 +23,16 @@ location /saml/ { proxy_set_header X-Saml-Acs /saml/login; proxy_pass http://saml:5000/; } -``` \ No newline at end of file + +location @error401 { + return 302 https://$http_host/saml/login?url=$request_uri; +} +``` + +## SECRET_KEY + +This app wants an environment variable `SECRET_KEY`, which should be a secure, +randomly-generated string. Otherwise, we generate one on the fly, which only +works long as the app is running, and won't work in a distributed environment. +SECRET_KEY is used to sign cookies, so setting a new key effectively +invalidates all existing sessions. diff --git a/app.py b/app.py index b3cc9b4..3e805e8 100644 --- a/app.py +++ b/app.py @@ -5,21 +5,22 @@ from urllib.parse import urljoin from datetime import timedelta import os -import uuid +import secrets app = Flask(__name__) app.wsgi_app = ProxyFix(app.wsgi_app) if os.environ.get('SECRET_KEY'): app.secret_key = os.environ['SECRET_KEY'] else: app.logger.error('Generating burner SECRET_KEY for demo purposes') - app.secret_key = str(uuid.uuid1()) + app.secret_key = secrets.token_urlsafe(32) app.config.update( SESSION_COOKIE_NAME='_saml_session', SESSION_COOKIE_HTTPONLY=True, SESSION_COOKIE_SECURE=True, - PERMANENT_SESSION_LIFETIME=timedelta(minutes=10) # TODO: refine this + PERMANENT_SESSION_LIFETIME=timedelta(hours=12) ) + @app.route('/status') @app.route('/status/group/') def status(group=None): @@ -35,7 +36,7 @@ def status(group=None): if not userid: abort(401) if group and group not in groups: - abort(403) + abort(403) headers = {'X-Saml-User': userid, 'X-Saml-Groups': ':'.join(groups)} txt = f'Logged in as: {userid}\nGroups: {str(groups)}' @@ -73,3 +74,11 @@ def login(): def logout(): session.clear() return 'Logged out' + + +@app.route('/') +def healthz(): + """Return a 200 along with some useful links.""" + return ''' +

Sign in

Logout

+ '''