plain.sessions 0.0.0__tar.gz

plain_sessions-0.0.0/LICENSE

@@ -0,0 +1,61 @@
+## Plain is released under the BSD 3-Clause License
+
+BSD 3-Clause License
+
+Copyright (c) 2023, Dropseed, LLC
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+## This package contains code forked from github.com/django/django
+
+Copyright (c) Django Software Foundation and individual contributors.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    3. Neither the name of Django nor the names of its contributors may be used
+       to endorse or promote products derived from this software without
+       specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

plain_sessions-0.0.0/PKG-INFO

@@ -0,0 +1,10 @@
+Metadata-Version: 2.1
+Name: plain.sessions
+Version: 0.0.0
+Summary: 
+Author: Dave Gaeddert
+Author-email: dave.gaeddert@dropseed.dev
+Requires-Python: >=3.11,<4.0
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12

plain_sessions-0.0.0/plain/sessions/README.md

@@ -0,0 +1,6 @@
+## Sessions - db backed
+
+Manage sessions and save them in the database.
+
+- associate with users?
+- devices?

plain_sessions-0.0.0/plain/sessions/__init__.py

@@ -0,0 +1 @@
+from . import preflight  # noqa

plain_sessions-0.0.0/plain/sessions/backends/base.py

@@ -0,0 +1,348 @@
+import logging
+import string
+from datetime import datetime, timedelta
+
+from plain import signing
+from plain.runtime import settings
+from plain.utils import timezone
+from plain.utils.crypto import get_random_string
+
+# session_key should not be case sensitive because some backends can store it
+# on case insensitive file systems.
+VALID_KEY_CHARS = string.ascii_lowercase + string.digits
+
+
+class CreateError(Exception):
+    """
+    Used internally as a consistent exception type to catch from save (see the
+    docstring for SessionBase.save() for details).
+    """
+
+    pass
+
+
+class UpdateError(Exception):
+    """
+    Occurs if Plain tries to update a session that was deleted.
+    """
+
+    pass
+
+
+class SessionBase:
+    """
+    Base class for all Session classes.
+    """
+
+    __not_given = object()
+
+    def __init__(self, session_key=None):
+        self._session_key = session_key
+        self.accessed = False
+        self.modified = False
+
+    def __contains__(self, key):
+        return key in self._session
+
+    def __getitem__(self, key):
+        return self._session[key]
+
+    def __setitem__(self, key, value):
+        self._session[key] = value
+        self.modified = True
+
+    def __delitem__(self, key):
+        del self._session[key]
+        self.modified = True
+
+    @property
+    def key_salt(self):
+        return "plain.sessions." + self.__class__.__qualname__
+
+    def get(self, key, default=None):
+        return self._session.get(key, default)
+
+    def pop(self, key, default=__not_given):
+        self.modified = self.modified or key in self._session
+        args = () if default is self.__not_given else (default,)
+        return self._session.pop(key, *args)
+
+    def setdefault(self, key, value):
+        if key in self._session:
+            return self._session[key]
+        else:
+            self.modified = True
+            self._session[key] = value
+            return value
+
+    def encode(self, session_dict):
+        "Return the given session dictionary serialized and encoded as a string."
+        return signing.dumps(
+            session_dict,
+            salt=self.key_salt,
+            compress=True,
+        )
+
+    def decode(self, session_data):
+        try:
+            return signing.loads(session_data, salt=self.key_salt)
+        except signing.BadSignature:
+            logger = logging.getLogger("plain.security.SuspiciousSession")
+            logger.warning("Session data corrupted")
+        except Exception:
+            # ValueError, unpickling exceptions. If any of these happen, just
+            # return an empty dictionary (an empty session).
+            pass
+        return {}
+
+    def update(self, dict_):
+        self._session.update(dict_)
+        self.modified = True
+
+    def has_key(self, key):
+        return key in self._session
+
+    def keys(self):
+        return self._session.keys()
+
+    def values(self):
+        return self._session.values()
+
+    def items(self):
+        return self._session.items()
+
+    def clear(self):
+        # To avoid unnecessary persistent storage accesses, we set up the
+        # internals directly (loading data wastes time, since we are going to
+        # set it to an empty dict anyway).
+        self._session_cache = {}
+        self.accessed = True
+        self.modified = True
+
+    def is_empty(self):
+        "Return True when there is no session_key and the session is empty."
+        try:
+            return not self._session_key and not self._session_cache
+        except AttributeError:
+            return True
+
+    def _get_new_session_key(self):
+        "Return session key that isn't being used."
+        while True:
+            session_key = get_random_string(32, VALID_KEY_CHARS)
+            if not self.exists(session_key):
+                return session_key
+
+    def _get_or_create_session_key(self):
+        if self._session_key is None:
+            self._session_key = self._get_new_session_key()
+        return self._session_key
+
+    def _validate_session_key(self, key):
+        """
+        Key must be truthy and at least 8 characters long. 8 characters is an
+        arbitrary lower bound for some minimal key security.
+        """
+        return key and len(key) >= 8
+
+    def _get_session_key(self):
+        return self.__session_key
+
+    def _set_session_key(self, value):
+        """
+        Validate session key on assignment. Invalid values will set to None.
+        """
+        if self._validate_session_key(value):
+            self.__session_key = value
+        else:
+            self.__session_key = None
+
+    session_key = property(_get_session_key)
+    _session_key = property(_get_session_key, _set_session_key)
+
+    def _get_session(self, no_load=False):
+        """
+        Lazily load session from storage (unless "no_load" is True, when only
+        an empty dict is stored) and store it in the current instance.
+        """
+        self.accessed = True
+        try:
+            return self._session_cache
+        except AttributeError:
+            if self.session_key is None or no_load:
+                self._session_cache = {}
+            else:
+                self._session_cache = self.load()
+        return self._session_cache
+
+    _session = property(_get_session)
+
+    def get_session_cookie_age(self):
+        return settings.SESSION_COOKIE_AGE
+
+    def get_expiry_age(self, **kwargs):
+        """Get the number of seconds until the session expires.
+
+        Optionally, this function accepts `modification` and `expiry` keyword
+        arguments specifying the modification and expiry of the session.
+        """
+        try:
+            modification = kwargs["modification"]
+        except KeyError:
+            modification = timezone.now()
+        # Make the difference between "expiry=None passed in kwargs" and
+        # "expiry not passed in kwargs", in order to guarantee not to trigger
+        # self.load() when expiry is provided.
+        try:
+            expiry = kwargs["expiry"]
+        except KeyError:
+            expiry = self.get("_session_expiry")
+
+        if not expiry:  # Checks both None and 0 cases
+            return self.get_session_cookie_age()
+        if not isinstance(expiry, datetime | str):
+            return expiry
+        if isinstance(expiry, str):
+            expiry = datetime.fromisoformat(expiry)
+        delta = expiry - modification
+        return delta.days * 86400 + delta.seconds
+
+    def get_expiry_date(self, **kwargs):
+        """Get session the expiry date (as a datetime object).
+
+        Optionally, this function accepts `modification` and `expiry` keyword
+        arguments specifying the modification and expiry of the session.
+        """
+        try:
+            modification = kwargs["modification"]
+        except KeyError:
+            modification = timezone.now()
+        # Same comment as in get_expiry_age
+        try:
+            expiry = kwargs["expiry"]
+        except KeyError:
+            expiry = self.get("_session_expiry")
+
+        if isinstance(expiry, datetime):
+            return expiry
+        elif isinstance(expiry, str):
+            return datetime.fromisoformat(expiry)
+        expiry = expiry or self.get_session_cookie_age()
+        return modification + timedelta(seconds=expiry)
+
+    def set_expiry(self, value):
+        """
+        Set a custom expiration for the session. ``value`` can be an integer,
+        a Python ``datetime`` or ``timedelta`` object or ``None``.
+
+        If ``value`` is an integer, the session will expire after that many
+        seconds of inactivity. If set to ``0`` then the session will expire on
+        browser close.
+
+        If ``value`` is a ``datetime`` or ``timedelta`` object, the session
+        will expire at that specific future time.
+
+        If ``value`` is ``None``, the session uses the global session expiry
+        policy.
+        """
+        if value is None:
+            # Remove any custom expiration for this session.
+            try:
+                del self["_session_expiry"]
+            except KeyError:
+                pass
+            return
+        if isinstance(value, timedelta):
+            value = timezone.now() + value
+        if isinstance(value, datetime):
+            value = value.isoformat()
+        self["_session_expiry"] = value
+
+    def get_expire_at_browser_close(self):
+        """
+        Return ``True`` if the session is set to expire when the browser
+        closes, and ``False`` if there's an expiry date. Use
+        ``get_expiry_date()`` or ``get_expiry_age()`` to find the actual expiry
+        date/age, if there is one.
+        """
+        if (expiry := self.get("_session_expiry")) is None:
+            return settings.SESSION_EXPIRE_AT_BROWSER_CLOSE
+        return expiry == 0
+
+    def flush(self):
+        """
+        Remove the current session data from the database and regenerate the
+        key.
+        """
+        self.clear()
+        self.delete()
+        self._session_key = None
+
+    def cycle_key(self):
+        """
+        Create a new session key, while retaining the current session data.
+        """
+        data = self._session
+        key = self.session_key
+        self.create()
+        self._session_cache = data
+        if key:
+            self.delete(key)
+
+    # Methods that child classes must implement.
+
+    def exists(self, session_key):
+        """
+        Return True if the given session_key already exists.
+        """
+        raise NotImplementedError(
+            "subclasses of SessionBase must provide an exists() method"
+        )
+
+    def create(self):
+        """
+        Create a new session instance. Guaranteed to create a new object with
+        a unique key and will have saved the result once (with empty data)
+        before the method returns.
+        """
+        raise NotImplementedError(
+            "subclasses of SessionBase must provide a create() method"
+        )
+
+    def save(self, must_create=False):
+        """
+        Save the session data. If 'must_create' is True, create a new session
+        object (or raise CreateError). Otherwise, only update an existing
+        object and don't create one (raise UpdateError if needed).
+        """
+        raise NotImplementedError(
+            "subclasses of SessionBase must provide a save() method"
+        )
+
+    def delete(self, session_key=None):
+        """
+        Delete the session data under this key. If the key is None, use the
+        current session key value.
+        """
+        raise NotImplementedError(
+            "subclasses of SessionBase must provide a delete() method"
+        )
+
+    def load(self):
+        """
+        Load the session data and return a dictionary.
+        """
+        raise NotImplementedError(
+            "subclasses of SessionBase must provide a load() method"
+        )
+
+    @classmethod
+    def clear_expired(cls):
+        """
+        Remove expired sessions from the session store.
+
+        If this operation isn't possible on a given backend, it should raise
+        NotImplementedError. If it isn't necessary, because the backend has
+        a built-in expiration mechanism, it should be a no-op.
+        """
+        raise NotImplementedError("This backend does not support clear_expired().")

plain_sessions-0.0.0/plain/sessions/backends/db.py

@@ -0,0 +1,110 @@
+import logging
+
+from plain.exceptions import SuspiciousOperation
+from plain.models import DatabaseError, IntegrityError, router, transaction
+from plain.sessions.backends.base import CreateError, SessionBase, UpdateError
+from plain.utils import timezone
+from plain.utils.functional import cached_property
+
+
+class SessionStore(SessionBase):
+    """
+    Implement database session store.
+    """
+
+    def __init__(self, session_key=None):
+        super().__init__(session_key)
+
+    @classmethod
+    def get_model_class(cls):
+        # Avoids a circular import and allows importing SessionStore when
+        # plain.sessions is not in INSTALLED_PACKAGES.
+        from plain.sessions.models import Session
+
+        return Session
+
+    @cached_property
+    def model(self):
+        return self.get_model_class()
+
+    def _get_session_from_db(self):
+        try:
+            return self.model.objects.get(
+                session_key=self.session_key, expire_date__gt=timezone.now()
+            )
+        except (self.model.DoesNotExist, SuspiciousOperation) as e:
+            if isinstance(e, SuspiciousOperation):
+                logger = logging.getLogger("plain.security.%s" % e.__class__.__name__)
+                logger.warning(str(e))
+            self._session_key = None
+
+    def load(self):
+        s = self._get_session_from_db()
+        return self.decode(s.session_data) if s else {}
+
+    def exists(self, session_key):
+        return self.model.objects.filter(session_key=session_key).exists()
+
+    def create(self):
+        while True:
+            self._session_key = self._get_new_session_key()
+            try:
+                # Save immediately to ensure we have a unique entry in the
+                # database.
+                self.save(must_create=True)
+            except CreateError:
+                # Key wasn't unique. Try again.
+                continue
+            self.modified = True
+            return
+
+    def create_model_instance(self, data):
+        """
+        Return a new instance of the session model object, which represents the
+        current session state. Intended to be used for saving the session data
+        to the database.
+        """
+        return self.model(
+            session_key=self._get_or_create_session_key(),
+            session_data=self.encode(data),
+            expire_date=self.get_expiry_date(),
+        )
+
+    def save(self, must_create=False):
+        """
+        Save the current session data to the database. If 'must_create' is
+        True, raise a database error if the saving operation doesn't create a
+        new entry (as opposed to possibly updating an existing entry).
+        """
+        if self.session_key is None:
+            return self.create()
+        data = self._get_session(no_load=must_create)
+        obj = self.create_model_instance(data)
+        using = router.db_for_write(self.model, instance=obj)
+        try:
+            with transaction.atomic(using=using):
+                obj.save(
+                    force_insert=must_create, force_update=not must_create, using=using
+                )
+        except IntegrityError:
+            if must_create:
+                raise CreateError
+            raise
+        except DatabaseError:
+            if not must_create:
+                raise UpdateError
+            raise
+
+    def delete(self, session_key=None):
+        if session_key is None:
+            if self.session_key is None:
+                return
+            session_key = self.session_key
+        try:
+            self.model.objects.get(session_key=session_key).delete()
+        except self.model.DoesNotExist:
+            pass
+
+    @classmethod
+    def clear_expired(cls):
+        cls.get_model_class().objects.filter(expire_date__lt=timezone.now()).delete()

plain_sessions-0.0.0/plain/sessions/cli.py

@@ -0,0 +1,23 @@
+from importlib import import_module
+
+import click
+
+from plain.runtime import settings
+
+
+@click.group()
+def cli():
+    """Sessions management commands."""
+    pass
+
+
+@cli.command()
+def clear_expired():
+    engine = import_module(settings.SESSION_ENGINE)
+    try:
+        engine.SessionStore.clear_expired()
+    except NotImplementedError:
+        raise NotImplementedError(
+            "Session engine '%s' doesn't support clearing expired "
+            "sessions." % settings.SESSION_ENGINE
+        )

plain_sessions-0.0.0/plain/sessions/config.py

@@ -0,0 +1,5 @@
+from plain.packages import PackageConfig
+
+
+class SessionsConfig(PackageConfig):
+    name = "plain.sessions"

plain_sessions-0.0.0/plain/sessions/default_settings.py

@@ -0,0 +1,21 @@
+# Cookie name. This can be whatever you want.
+SESSION_COOKIE_NAME = "sessionid"
+# Age of cookie, in seconds (default: 2 weeks).
+SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2
+# A string like "example.com", or None for standard domain cookie.
+SESSION_COOKIE_DOMAIN = None
+# Whether the session cookie should be secure (https:// only).
+SESSION_COOKIE_SECURE = False
+# The path of the session cookie.
+SESSION_COOKIE_PATH = "/"
+# Whether to use the HttpOnly flag.
+SESSION_COOKIE_HTTPONLY = True
+# Whether to set the flag restricting cookie leaks on cross-site requests.
+# This can be 'Lax', 'Strict', 'None', or False to disable the flag.
+SESSION_COOKIE_SAMESITE = "Lax"
+# Whether to save the session data on every request.
+SESSION_SAVE_EVERY_REQUEST = False
+# Whether a user's session cookie expires when the web browser is closed.
+SESSION_EXPIRE_AT_BROWSER_CLOSE = False
+# The module to store session data
+SESSION_ENGINE = "plain.sessions.backends.db"

plain_sessions-0.0.0/plain/sessions/exceptions.py

@@ -0,0 +1,13 @@
+from plain.exceptions import BadRequest, SuspiciousOperation
+
+
+class SuspiciousSession(SuspiciousOperation):
+    """The session may be tampered with"""
+
+    pass
+
+
+class SessionInterrupted(BadRequest):
+    """The session was interrupted."""
+
+    pass

plain_sessions-0.0.0/plain/sessions/middleware.py

@@ -0,0 +1,77 @@
+import time
+from importlib import import_module
+
+from plain.runtime import settings
+from plain.sessions.backends.base import UpdateError
+from plain.sessions.exceptions import SessionInterrupted
+from plain.utils.cache import patch_vary_headers
+from plain.utils.http import http_date
+
+
+class SessionMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+        engine = import_module(settings.SESSION_ENGINE)
+        self.SessionStore = engine.SessionStore
+
+    def __call__(self, request):
+        session_key = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
+        request.session = self.SessionStore(session_key)
+
+        response = self.get_response(request)
+
+        """
+        If request.session was modified, or if the configuration is to save the
+        session every time, save the changes and set a session cookie or delete
+        the session cookie if the session has been emptied.
+        """
+        try:
+            accessed = request.session.accessed
+            modified = request.session.modified
+            empty = request.session.is_empty()
+        except AttributeError:
+            return response
+        # First check if we need to delete this cookie.
+        # The session should be deleted only if the session is entirely empty.
+        if settings.SESSION_COOKIE_NAME in request.COOKIES and empty:
+            response.delete_cookie(
+                settings.SESSION_COOKIE_NAME,
+                path=settings.SESSION_COOKIE_PATH,
+                domain=settings.SESSION_COOKIE_DOMAIN,
+                samesite=settings.SESSION_COOKIE_SAMESITE,
+            )
+            patch_vary_headers(response, ("Cookie",))
+        else:
+            if accessed:
+                patch_vary_headers(response, ("Cookie",))
+            if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
+                if request.session.get_expire_at_browser_close():
+                    max_age = None
+                    expires = None
+                else:
+                    max_age = request.session.get_expiry_age()
+                    expires_time = time.time() + max_age
+                    expires = http_date(expires_time)
+                # Save the session data and refresh the client cookie.
+                # Skip session save for 5xx responses.
+                if response.status_code < 500:
+                    try:
+                        request.session.save()
+                    except UpdateError:
+                        raise SessionInterrupted(
+                            "The request's session was deleted before the "
+                            "request completed. The user may have logged "
+                            "out in a concurrent request, for example."
+                        )
+                    response.set_cookie(
+                        settings.SESSION_COOKIE_NAME,
+                        request.session.session_key,
+                        max_age=max_age,
+                        expires=expires,
+                        domain=settings.SESSION_COOKIE_DOMAIN,
+                        path=settings.SESSION_COOKIE_PATH,
+                        secure=settings.SESSION_COOKIE_SECURE or None,
+                        httponly=settings.SESSION_COOKIE_HTTPONLY or None,
+                        samesite=settings.SESSION_COOKIE_SAMESITE,
+                    )
+        return response

plain_sessions-0.0.0/plain/sessions/migrations/0001_initial.py

@@ -0,0 +1,35 @@
+import plain.sessions.models
+from plain import models
+from plain.models import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = []
+
+    operations = [
+        migrations.CreateModel(
+            name="Session",
+            fields=[
+                (
+                    "session_key",
+                    models.CharField(
+                        max_length=40,
+                        serialize=False,
+                        primary_key=True,
+                    ),
+                ),
+                ("session_data", models.TextField()),
+                (
+                    "expire_date",
+                    models.DateTimeField(db_index=True),
+                ),
+            ],
+            options={
+                "abstract": False,
+                "db_table": "django_session",
+            },
+            managers=[
+                ("objects", plain.sessions.models.SessionManager()),
+            ],
+        ),
+    ]

plain_sessions-0.0.0/plain/sessions/migrations/0002_alter_session_options_alter_session_expire_date_and_more.py

@@ -0,0 +1,32 @@
+# Generated by Plain 5.0.dev20230814020017 on 2023-08-14 02:09
+
+from plain import models
+from plain.models import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("sessions", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="session",
+            options={},
+        ),
+        migrations.AlterField(
+            model_name="session",
+            name="expire_date",
+            field=models.DateTimeField(db_index=True),
+        ),
+        migrations.AlterField(
+            model_name="session",
+            name="session_data",
+            field=models.TextField(),
+        ),
+        migrations.AlterField(
+            model_name="session",
+            name="session_key",
+            field=models.CharField(max_length=40, primary_key=True, serialize=False),
+        ),
+    ]

plain_sessions-0.0.0/plain/sessions/models.py

@@ -0,0 +1,61 @@
+from plain import models
+
+
+class SessionManager(models.Manager):
+    use_in_migrations = True
+
+    def encode(self, session_dict):
+        """
+        Return the given session dictionary serialized and encoded as a string.
+        """
+        session_store_class = self.model.get_session_store_class()
+        return session_store_class().encode(session_dict)
+
+    def save(self, session_key, session_dict, expire_date):
+        s = self.model(session_key, self.encode(session_dict), expire_date)
+        if session_dict:
+            s.save()
+        else:
+            s.delete()  # Clear sessions with no data.
+        return s
+
+
+class Session(models.Model):
+    """
+    Plain provides full support for anonymous sessions. The session
+    framework lets you store and retrieve arbitrary data on a
+    per-site-visitor basis. It stores data on the server side and
+    abstracts the sending and receiving of cookies. Cookies contain a
+    session ID -- not the data itself.
+
+    The Plain sessions framework is entirely cookie-based. It does
+    not fall back to putting session IDs in URLs. This is an intentional
+    design decision. Not only does that behavior make URLs ugly, it makes
+    your site vulnerable to session-ID theft via the "Referer" header.
+
+    For complete documentation on using Sessions in your code, consult
+    the sessions documentation that is shipped with Plain (also available
+    on the Plain web site).
+    """
+
+    session_key = models.CharField(max_length=40, primary_key=True)
+    session_data = models.TextField()
+    expire_date = models.DateTimeField(db_index=True)
+
+    objects = SessionManager()
+
+    def __str__(self):
+        return self.session_key
+
+    @classmethod
+    def get_session_store_class(cls):
+        from plain.sessions.backends.db import SessionStore
+
+        return SessionStore
+
+    def get_decoded(self):
+        session_store_class = self.get_session_store_class()
+        return session_store_class().decode(self.session_data)
+
+    class Meta:
+        db_table = "django_session"

plain_sessions-0.0.0/plain/sessions/preflight.py

@@ -0,0 +1,98 @@
+from plain.preflight import Warning, register
+from plain.runtime import settings
+
+
+def add_session_cookie_message(message):
+    return message + (
+        " Using a secure-only session cookie makes it more difficult for "
+        "network traffic sniffers to hijack user sessions."
+    )
+
+
+W010 = Warning(
+    add_session_cookie_message(
+        "You have 'plain.sessions' in your INSTALLED_PACKAGES, "
+        "but you have not set SESSION_COOKIE_SECURE to True."
+    ),
+    id="security.W010",
+)
+
+W011 = Warning(
+    add_session_cookie_message(
+        "You have 'plain.sessions.middleware.SessionMiddleware' "
+        "in your MIDDLEWARE, but you have not set "
+        "SESSION_COOKIE_SECURE to True."
+    ),
+    id="security.W011",
+)
+
+W012 = Warning(
+    add_session_cookie_message("SESSION_COOKIE_SECURE is not set to True."),
+    id="security.W012",
+)
+
+
+def add_httponly_message(message):
+    return message + (
+        " Using an HttpOnly session cookie makes it more difficult for "
+        "cross-site scripting attacks to hijack user sessions."
+    )
+
+
+W013 = Warning(
+    add_httponly_message(
+        "You have 'plain.sessions' in your INSTALLED_PACKAGES, "
+        "but you have not set SESSION_COOKIE_HTTPONLY to True.",
+    ),
+    id="security.W013",
+)
+
+W014 = Warning(
+    add_httponly_message(
+        "You have 'plain.sessions.middleware.SessionMiddleware' "
+        "in your MIDDLEWARE, but you have not set "
+        "SESSION_COOKIE_HTTPONLY to True."
+    ),
+    id="security.W014",
+)
+
+W015 = Warning(
+    add_httponly_message("SESSION_COOKIE_HTTPONLY is not set to True."),
+    id="security.W015",
+)
+
+
+@register(deploy=True)
+def check_session_cookie_secure(package_configs, **kwargs):
+    if settings.SESSION_COOKIE_SECURE is True:
+        return []
+    errors = []
+    if _session_app():
+        errors.append(W010)
+    if _session_middleware():
+        errors.append(W011)
+    if len(errors) > 1:
+        errors = [W012]
+    return errors
+
+
+@register(deploy=True)
+def check_session_cookie_httponly(package_configs, **kwargs):
+    if settings.SESSION_COOKIE_HTTPONLY is True:
+        return []
+    errors = []
+    if _session_app():
+        errors.append(W013)
+    if _session_middleware():
+        errors.append(W014)
+    if len(errors) > 1:
+        errors = [W015]
+    return errors
+
+
+def _session_middleware():
+    return "plain.sessions.middleware.SessionMiddleware" in settings.MIDDLEWARE
+
+
+def _session_app():
+    return "plain.sessions" in settings.INSTALLED_PACKAGES

plain_sessions-0.0.0/pyproject.toml

@@ -0,0 +1,17 @@
+[tool.poetry]
+name = "plain.sessions"
+packages = [
+    { include = "plain" },
+]
+version = "0.0.0"
+description = ""
+authors = ["Dave Gaeddert <dave.gaeddert@dropseed.dev>"]
+# readme = "README.md"
+
+[tool.poetry.dependencies]
+python = "^3.11"
+
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"