cherrypy-foundation 1.0.0a15__py3-none-any.whl → 1.0.0a17__py3-none-any.whl

cherrypy_foundation/tools/auth_mfa.py

@@ -1,5 +1,5 @@
 # MFA tool for cherrypy
-# Copyright (C) 2022-2025 Patrik Dufresne
+# Copyright (C) 2022-2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,6 +21,8 @@ from typing import Optional
 
 import cherrypy
 
+from cherrypy_foundation.sessions import session_lock
+
 from ..passwd import check_password, hash_password
 
 MFA_CODE = '_auth_mfa_code'
@@ -83,11 +85,11 @@ class CheckAuthMfa(cherrypy.Tool):
 
         length = self._code_length()
         code = ''.join(secrets.choice(string.digits) for _ in range(length))
-        session = cherrypy.serving.session
-        session[MFA_USER_KEY] = cherrypy.request.login
-        session[MFA_CODE] = hash_password(code)
-        session[MFA_CODE_TIME] = session.now()
-        session[MFA_CODE_ATTEMPT] = 0
+        with session_lock() as session:
+            session[MFA_USER_KEY] = cherrypy.request.login
+            session[MFA_CODE] = hash_password(code)
+            session[MFA_CODE_TIME] = session.now()
+            session[MFA_CODE_ATTEMPT] = 0
         return code
 
     def _is_verified(self) -> bool:
@@ -96,24 +98,24 @@ class CheckAuthMfa(cherrypy.Tool):
             return False
 
         # Check if our username match current login user.
-        session = cherrypy.serving.session
-        if session.get(MFA_USER_KEY) != cherrypy.request.login:
-            return False
+        with session_lock() as session:
+            if session.get(MFA_USER_KEY) != cherrypy.request.login:
+                return False
 
-        # Check if the current IP is trusted
-        ip_list = session.get(MFA_TRUSTED_IP_LIST) or []
-        if cherrypy.request.remote.ip not in ip_list:
-            return False
+            # Check if the current IP is trusted
+            ip_list = session.get(MFA_TRUSTED_IP_LIST) or []
+            if cherrypy.request.remote.ip not in ip_list:
+                return False
 
-        # Check if user ever pass the verification.
-        verified_at: Optional[datetime.datetime] = session.get(MFA_VERIFICATION_TIME)
-        if not verified_at:
-            return False
+            # Check if user ever pass the verification.
+            verified_at: Optional[datetime.datetime] = session.get(MFA_VERIFICATION_TIME)
+            if not verified_at:
+                return False
 
-        # Check trusted duration time
-        trust_minutes = self._trust_duration_minutes()
-        if (verified_at + datetime.timedelta(minutes=trust_minutes)) <= session.now():
-            return False
+            # Check trusted duration time
+            trust_minutes = self._trust_duration_minutes()
+            if (verified_at + datetime.timedelta(minutes=trust_minutes)) <= session.now():
+                return False
 
         return True
 
@@ -125,24 +127,26 @@ class CheckAuthMfa(cherrypy.Tool):
         if not hasattr(cherrypy.serving, 'session'):
             return True
 
-        session = cherrypy.serving.session
-        if session.get(MFA_USER_KEY) != cherrypy.request.login:
-            return True
+        with session_lock() as session:
+            if session.get(MFA_USER_KEY) != cherrypy.request.login:
+                return True
 
-        # Check if code is defined.
-        hash_ = session.get(MFA_CODE)
-        if not hash_:
-            return True
+            # Check if code is defined.
+            hash_ = session.get(MFA_CODE)
+            if not hash_:
+                return True
 
-        # Check issued time.
-        issued_at: Optional[datetime.datetime] = session.get(MFA_CODE_TIME)
-        if not issued_at or ((issued_at + datetime.timedelta(minutes=self._code_timeout_minutes())) < session.now()):
-            return True
+            # Check issued time.
+            issued_at: Optional[datetime.datetime] = session.get(MFA_CODE_TIME)
+            if not issued_at or (
+                (issued_at + datetime.timedelta(minutes=self._code_timeout_minutes())) < session.now()
+            ):
+                return True
 
-        # Check number of attempt.
-        attempts = int(session.get(MFA_CODE_ATTEMPT, 0))
-        if attempts >= self._max_attempts():
-            return True
+            # Check number of attempt.
+            attempts = int(session.get(MFA_CODE_ATTEMPT, 0))
+            if attempts >= self._max_attempts():
+                return True
 
         return False
 
@@ -190,55 +194,55 @@ class CheckAuthMfa(cherrypy.Tool):
         if not hasattr(cherrypy.serving, 'session'):
             return False
 
-        session = cherrypy.serving.session
-        stored_hash = session.get(MFA_CODE)
-        is_expired = self.is_code_expired()
-        if self.is_code_expired():
-            return False
-
-        # Always perform the hash check regardless of expiration
-        # to prevent timing attacks
-        code_valid = False
-        if stored_hash:
-            code_valid = check_password(code, stored_hash)
-
-        # Check all conditions after hash verification
-        if is_expired or not code_valid:
-            if not is_expired:  # Only increment if not expired
-                session[MFA_CODE_ATTEMPT] = attempts = int(session.get(MFA_CODE_ATTEMPT, 0)) + 1
+        with session_lock() as session:
+            stored_hash = session.get(MFA_CODE)
+            is_expired = self.is_code_expired()
+            if self.is_code_expired():
+                return False
+
+            # Always perform the hash check regardless of expiration
+            # to prevent timing attacks
+            code_valid = False
+            if stored_hash:
+                code_valid = check_password(code, stored_hash)
+
+            # Check all conditions after hash verification
+            if is_expired or not code_valid:
+                if not is_expired:  # Only increment if not expired
+                    session[MFA_CODE_ATTEMPT] = attempts = int(session.get(MFA_CODE_ATTEMPT, 0)) + 1
+                cherrypy.log(
+                    f'verification failed user={cherrypy.request.login} ip={cherrypy.request.remote.ip} attempts={attempts}',
+                    context='MFA',
+                    severity=logging.WARNING,
+                )
+                return False
+
+            # Success: trust this device/IP for the configured duration
+            session[MFA_VERIFICATION_TIME] = session.now()
+            ip_list = list({*(session.get(MFA_TRUSTED_IP_LIST) or []), cherrypy.request.remote.ip})
+            # Cap the list to avoid unbounded growth (keep most recent N)
+            max_ips = self._max_trusted_ips()
+            if len(ip_list) > max_ips:
+                ip_list = ip_list[-max_ips:]
+            session[MFA_TRUSTED_IP_LIST] = ip_list
+
+            # Clear the one-time code
+            session[MFA_CODE] = None
+            session[MFA_CODE_TIME] = None
+            session[MFA_CODE_ATTEMPT] = 0
+
+            # Honor “remember this device” option by making the session persistent
+            if hasattr(cherrypy.tools, 'sessions_timeout'):
+                try:
+                    cherrypy.tools.sessions_timeout.set_persistent(bool(persistent))
+                except Exception:
+                    pass
+
+            # Rotate session id to prevent fixation
+            session.regenerate()
             cherrypy.log(
-                f'verification failed user={cherrypy.request.login} ip={cherrypy.request.remote.ip} attempts={attempts}',
-                context='MFA',
-                severity=logging.WARNING,
+                f'verification successful user={cherrypy.request.login} ip={cherrypy.request.remote.ip}', context='MFA'
             )
-            return False
-
-        # Success: trust this device/IP for the configured duration
-        session[MFA_VERIFICATION_TIME] = session.now()
-        ip_list = list({*(session.get(MFA_TRUSTED_IP_LIST) or []), cherrypy.request.remote.ip})
-        # Cap the list to avoid unbounded growth (keep most recent N)
-        max_ips = self._max_trusted_ips()
-        if len(ip_list) > max_ips:
-            ip_list = ip_list[-max_ips:]
-        session[MFA_TRUSTED_IP_LIST] = ip_list
-
-        # Clear the one-time code
-        session[MFA_CODE] = None
-        session[MFA_CODE_TIME] = None
-        session[MFA_CODE_ATTEMPT] = 0
-
-        # Honor “remember this device” option by making the session persistent
-        if hasattr(cherrypy.tools, 'sessions_timeout'):
-            try:
-                cherrypy.tools.sessions_timeout.set_persistent(bool(persistent))
-            except Exception:
-                pass
-
-        # Rotate session id to prevent fixation
-        session.regenerate()
-        cherrypy.log(
-            f'verification successful user={cherrypy.request.login} ip={cherrypy.request.remote.ip}', context='MFA'
-        )
         return True
 
 

cherrypy_foundation/tools/i18n.py

@@ -1,5 +1,5 @@
 # Internationalisation tool for cherrypy
-# Copyright (C) 2012-2025 Patrik Dufresne
+# Copyright (C) 2012-2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

cherrypy_foundation/tools/jinja2.py

@@ -1,5 +1,5 @@
 # Jinja2 tools for cherrypy
-# Copyright (C) 2021-2025 Patrik Dufresne
+# Copyright (C) 2021-2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

cherrypy_foundation/tools/ratelimit.py

@@ -1,5 +1,5 @@
 # Ratelimit tools for cherrypy
-# Copyright (C) 2022-2025 Patrik Dufresne
+# Copyright (C) 2022-2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -22,6 +22,8 @@ from collections import namedtuple
 
 import cherrypy
 
+from cherrypy_foundation.sessions import session_lock
+
 Tracker = namedtuple('Tracker', ['token', 'hits', 'timeout'])
 
 
@@ -148,9 +150,27 @@ class FileRateLimit(_DataStore):
 class Ratelimit(cherrypy.Tool):
     CONTEXT = 'TOOLS.RATELIMIT'
 
+    _datastores = {}
+
     def __init__(self, priority=60):
         super().__init__('before_handler', self.check_ratelimit, 'ratelimit', priority)
 
+    def _get_datastore(self, storage_class, **kwargs):
+        """
+        Create new datastore or return existing datastore.
+        """
+        # Default to RAM if storage class is not defined.
+        if storage_class is None:
+            kwargs = {}
+            storage_class = RamRateLimit
+        # Lookup for matching storage.
+        key = (storage_class, str(kwargs))
+        datastore = self._datastores.get(key)
+        if datastore is None:
+            # Create new storage if not found.
+            self._datastores[key] = datastore = storage_class(**kwargs)
+        return datastore
+
     def check_ratelimit(
         self,
         delay=3600,
@@ -161,7 +181,8 @@ class Ratelimit(cherrypy.Tool):
         methods=None,
         debug=False,
         hit=1,
-        **conf,
+        storage_class=None,
+        **storage_kwargs,
     ):
         """
         Verify the ratelimit. By default return a 429 HTTP error code (Too Many Request). After 25 request within the same hour.
@@ -174,11 +195,10 @@ class Ratelimit(cherrypy.Tool):
             scope:         if specify, define the scope of rate limit. Default to path_info.
             methods:       if specify, only the methods in the list will be rate limited.
         """
-        assert delay > 0, 'invalid delay'
-
-        # Check if limit is enabled
+        if delay <= 0:
+            raise ValueError('Invalid delay: %s' % delay)
         if limit <= 0:
-            return
+            raise ValueError('Invalid limit: %s' % limit)
 
         # Check if this 'method' should be rate limited
         request = cherrypy.request
@@ -187,13 +207,8 @@ class Ratelimit(cherrypy.Tool):
                 cherrypy.log(f'skip rate limit for HTTP method {request.method}', context=self.CONTEXT)
             return
 
-        # If datastore is not pass as configuration, create it for the first time.
-        datastore = getattr(self, '_ratelimit_datastore', None)
-        if datastore is None:
-            # Create storage using storage class
-            storage_class = conf.get('storage_class', RamRateLimit)
-            datastore = storage_class(**conf)
-            self._ratelimit_datastore = datastore
+        # Create storage using storage class
+        datastore = self._get_datastore(storage_class, **storage_kwargs)
 
         # Identifier: prefer authenticated user; else client IP
         identifier = getattr(cherrypy.serving.request, 'login', None) or cherrypy.request.remote.ip
@@ -226,7 +241,8 @@ class Ratelimit(cherrypy.Tool):
             cherrypy.log(f'block access to path_info={request.path_info}', context=self.CONTEXT)
             if logout:
                 if hasattr(cherrypy.serving, 'session'):
-                    cherrypy.serving.session.clear()
+                    with session_lock() as session:
+                        session.clear()
                 raise cherrypy.HTTPRedirect("/")
             raise cherrypy.HTTPError(return_status)
 
@@ -240,12 +256,10 @@ class Ratelimit(cherrypy.Tool):
 
     def reset(self):
         """
-        Used to reset the ratelimit.
+        Used to reset the ratelimit. (for unit test)
         """
-        datastore = getattr(self, '_ratelimit_datastore', False)
-        if not datastore:
-            return
-        datastore.reset()
+        for datastore in self._datastores.values():
+            datastore.reset()
 
 
 cherrypy.tools.ratelimit = Ratelimit()

cherrypy_foundation/tools/secure_headers.py

@@ -1,5 +1,5 @@
 # Secure Headers tool for cherrypy
-# Copyright (C) 2012-2025 IKUS Software
+# Copyright (C) 2012-2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

cherrypy_foundation/tools/sessions_timeout.py

@@ -1,5 +1,5 @@
 # Session timeout tool for cherrypy
-# Copyright (C) 2012-2025 IKUS Software
+# Copyright (C) 2012-2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,6 +21,8 @@ import time
 import cherrypy
 from cherrypy.lib import httputil
 
+from cherrypy_foundation.sessions import session_lock
+
 SESSION_PERSISTENT = '_session_persistent'
 SESSION_START_TIME = '_session_start_time'
 
@@ -57,13 +59,13 @@ class SessionsTimeout(cherrypy.Tool):
         absolute_timeout = int(cfg.get('tools.sessions_timeout.absolute_timeout', SESSION_DEFAULT_ABSOLUTE_TIMEOUT))
         return idle_timeout, persistent_timeout, absolute_timeout
 
-    def _set_cookie_max_age(self, max_age: int) -> None:
+    def _set_cookie_max_age(self, session, max_age: int) -> None:
         """Adjust only Max-Age and Expires for the session cookie, keep other flags intact."""
         cookie_name = self._cookie_name()
         cookie = cherrypy.serving.response.cookie
         # Ensure the cookie key exists (CherryPy sets it when session id is issued/regenerated).
         if cookie_name not in cookie:
-            cookie[cookie_name] = cherrypy.serving.session.id
+            cookie[cookie_name] = session.id
         cookie[cookie_name]['max-age'] = str(max(0, max_age))
         cookie[cookie_name]['expires'] = httputil.HTTPDate(time.time() + max(0, max_age))
 
@@ -73,24 +75,21 @@ class SessionsTimeout(cherrypy.Tool):
             return 0
         return int(math.ceil(seconds / 60.0))
 
-    def _ensure_start_time(self) -> None:
+    def _ensure_start_time(self, session) -> None:
         """Ensure the session has a stable start time anchor for absolute timeout."""
-        session = cherrypy.serving.session
         if SESSION_START_TIME not in session or not isinstance(session.get(SESSION_START_TIME), datetime.datetime):
             session[SESSION_START_TIME] = session.now()
 
-    def _expire_and_restart(self, make_persistent: bool | None = None) -> None:
+    def _expire_and_restart(self, session, make_persistent: bool | None = None) -> None:
         """Expire current session and start a fresh one. Optionally set persistent flag."""
-        session = cherrypy.serving.session
         session.clear()
         session.regenerate()
         session[SESSION_START_TIME] = session.now()
         if make_persistent is not None:
             session[SESSION_PERSISTENT] = bool(make_persistent)
 
-    def _update_session_timeout(self) -> None:
-        session = cherrypy.serving.session
-        self._ensure_start_time()
+    def _update_session_timeout(self, session) -> None:
+        self._ensure_start_time(session)
 
         now: datetime.datetime = session.now()
         start: datetime.datetime = session[SESSION_START_TIME]
@@ -120,9 +119,9 @@ class SessionsTimeout(cherrypy.Tool):
             # Expired due to either sliding window or absolute cap
             # Start a fresh session; do NOT automatically re-mark persistent here.
             # Authentication/Remember me logic elsewhere can call set_persistent(True) again after login.
-            self._expire_and_restart()
+            self._expire_and_restart(session)
             # After regeneration, set a sensible session.timeout baseline:
-            cherrypy.serving.session.timeout = idle_timeout_min
+            session.timeout = idle_timeout_min
             return
 
         # Apply per-request remaining minutes to CherryPy's session timeout
@@ -130,7 +129,7 @@ class SessionsTimeout(cherrypy.Tool):
 
         if is_persistent:
             # Keep cookie lifetime aligned with remaining time so it can survive browser restarts.
-            self._set_cookie_max_age(remaining_sec)
+            self._set_cookie_max_age(session, remaining_sec)
         else:
             # For non-persistent, let CherryPy manage the session cookie (session or transient cookie).
             # If you want strict enforcement client-side too, uncomment the next line:
@@ -143,23 +142,26 @@ class SessionsTimeout(cherrypy.Tool):
             return
 
         # Ensure configured values are honored (method signature kept for CherryPy Tool interface)
-        self._update_session_timeout()
+        with session_lock() as session:
+            self._update_session_timeout(session)
 
     def set_persistent(self, value: bool = True) -> None:
         """Mark current session as persistent (or not) and reset the start window."""
-        session = cherrypy.serving.session
-        session[SESSION_PERSISTENT] = bool(value)
-        # Reset absolute window anchor when the persistence policy changes
-        session[SESSION_START_TIME] = session.now()
-        self._update_session_timeout()
+        with session_lock() as session:
+            session[SESSION_PERSISTENT] = bool(value)
+            # Reset absolute window anchor when the persistence policy changes
+            session[SESSION_START_TIME] = session.now()
+            self._update_session_timeout(session)
 
     def is_persistent(self) -> bool:
         """Return True if the session is marked persistent."""
-        return bool(cherrypy.serving.session.get(SESSION_PERSISTENT, False))
+        with session_lock() as session:
+            return bool(session.get(SESSION_PERSISTENT, False))
 
     def get_session_start_time(self) -> datetime.datetime | None:
         """Return the session start time if any."""
-        return cherrypy.serving.session.get(SESSION_START_TIME, None)
+        with session_lock() as session:
+            return session.get(SESSION_START_TIME, None)
 
 
 cherrypy.tools.sessions_timeout = SessionsTimeout()

cherrypy_foundation/tools/tests/test_auth.py

@@ -1,5 +1,5 @@
 # CherryPy
-# Copyright (C) 2025 IKUS Software
+# Copyright (C) 2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -14,11 +14,12 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-
+import tempfile
 from collections import namedtuple
 from urllib.parse import urlencode
 
 import cherrypy
+from cherrypy.lib.sessions import FileSession
 from cherrypy.test import helper
 
 from .. import auth  # noqa
@@ -42,7 +43,7 @@ def user_from_key_func(userkey):
     return None
 
 
-@cherrypy.tools.sessions()
+@cherrypy.tools.sessions(locking='explicit', storage_class=FileSession)
 @cherrypy.tools.auth(
     user_lookup_func=user_lookup_func,
     user_from_key_func=user_from_key_func,
@@ -68,8 +69,24 @@ class Root:
 class AuthManagerTest(helper.CPWebCase):
     interactive = False
 
+    @classmethod
+    def setup_class(cls):
+        cls.tempdir = tempfile.TemporaryDirectory(prefix='cherrypy-foundation-', suffix='-session')
+        cls.session_dir = cls.tempdir.name
+        super().setup_class()
+
+    @classmethod
+    def teardown_class(cls):
+        cls.tempdir.cleanup()
+        super().teardown_class()
+
     @classmethod
     def setup_server(cls):
+        cherrypy.config.update(
+            {
+                'tools.sessions.storage_path': cls.session_dir,
+            }
+        )
         cherrypy.tree.mount(Root(), '/')
 
     def test_auth_redirect(self):

cherrypy_foundation/tools/tests/test_auth_mfa.py

@@ -1,5 +1,5 @@
 # CherryPy
-# Copyright (C) 2025 IKUS Software
+# Copyright (C) 2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -14,7 +14,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-
 import datetime
 from collections import namedtuple
 from urllib.parse import urlencode
@@ -23,6 +22,8 @@ import cherrypy
 from cherrypy.lib.sessions import RamSession
 from cherrypy.test import helper
 
+from cherrypy_foundation.sessions import session_lock
+
 from ..auth import AUTH_LAST_PASSWORD_AT
 from ..auth_mfa import (
     MFA_CODE_TIME,
@@ -64,7 +65,7 @@ def user_from_key_func(userkey):
     return None
 
 
-@cherrypy.tools.sessions()
+@cherrypy.tools.sessions(locking='explicit')
 @cherrypy.tools.auth(
     user_lookup_func=user_lookup_func,
     user_from_key_func=user_from_key_func,
@@ -103,7 +104,8 @@ class Root:
             code = cherrypy.tools.auth_mfa.generate_code()
             # Here the code should be send by email, SMS or any other means.
             # For our test we store it in the session.
-            cherrypy.serving.session['code'] = code
+            with session_lock() as session:
+                session['code'] = code
             html += "<p>new verification code sent to your email</p>\n"
         return html
 

cherrypy_foundation/tools/tests/test_i18n.py

@@ -1,5 +1,5 @@
 # CherryPy
-# Copyright (C) 2025 IKUS Software
+# Copyright (C) 2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

cherrypy_foundation/tools/tests/test_jinja2.py

@@ -1,5 +1,5 @@
-# CherryPy Foundation
-# Copyright (C) 2025 IKUS Software
+# Cherrypy-foundation
+# Copyright (C) 2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

cherrypy_foundation/tools/tests/test_ratelimit.py

@@ -1,5 +1,5 @@
 # CherryPy
-# Copyright (C) 2025 IKUS Software
+# Copyright (C) 2026 IKUS Software
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -49,7 +49,7 @@ class RateLimitTest(helper.CPWebCase):
 
     @classmethod
     def setup_server(cls):
-        rate_limit_storage_class = ratelimit.RamRateLimit
+        rate_limit_storage_class = None
         if cls.rate_limit_dir:
             rate_limit_storage_class = ratelimit.FileRateLimit
         cherrypy.config.update(