Replace session storage to prevent cookie reuse

5 files changed, 25 insertions, 17 deletions

diff --git a/service/Dockerfile b/service/Dockerfile
index 314ca26..c26ea3a 100644
--- a/service/Dockerfile
+++ b/service/Dockerfile
@@ -9,9 +9,9 @@ RUN python3 -m pip install -r requirements.txt
 WORKDIR /service
 RUN mkdir data
 COPY static static
-COPY app.py crypto.py init.sql run.sh ./
+COPY app.py crypto.py init.sql entrypoint.sh ./
 
 RUN useradd -u 2000 cryptodude
-RUN chmod +x run.sh
+RUN chmod +x entrypoint.sh
 
-CMD ["/bin/bash", "-c", "chmod 777 -R /service/data && sudo -u cryptodude /service/run.sh"]
+ENTRYPOINT /service/entrypoint.sh
diff --git a/service/app.py b/service/app.py
index 87c30cd..ba9add5 100644
--- a/service/app.py
+++ b/service/app.py
@@ -1,11 +1,14 @@
 from aiohttp import web, WSCloseCode
-from aiohttp_session import setup, get_session, new_session
+from aiohttp_session import get_session, new_session
 from aiohttp_session.cookie_storage import EncryptedCookieStorage
 from base64 import urlsafe_b64decode
 from cryptography import fernet
 from datetime import datetime
 from hashlib import md5
 
+import aiohttp_session
+import aiohttp_session.redis_storage
+import aioredis
 import aiosqlite
 import asyncio
 import crypto
@@ -466,15 +469,13 @@ async def handle_launch(request):
 
     return web.Response(status=200)
 
-def create_runner():
+async def create_runner():
     app = web.Application()
-    if os.path.exists("data/.secret_key"):
-        secret_key = open("data/.secret_key", "rb").read()
-    else:
-        fernet_key = fernet.Fernet.generate_key()
-        secret_key = urlsafe_b64decode(fernet_key)
-        open("data/.secret_key", "wb+").write(secret_key)
-    setup(app, EncryptedCookieStorage(secret_key))
+    redis_host = os.getenv("REDIS_HOST")
+    redis_port = os.getenv("REDIS_PORT")
+    redis = await aioredis.from_url(f"redis://{redis_host}:{redis_port}")
+    storage = aiohttp_session.redis_storage.RedisStorage(redis)
+    aiohttp_session.setup(app, storage)
     app.add_routes([
         web.get('/', handle_main),
         web.get('/ws', handle_ws),
@@ -497,7 +498,7 @@ async def main():
     global db
     db = await aiosqlite.connect("data/db.sqlite")
     await db.execute("PRAGMA foreign_keys = ON")
-    runner = create_runner()
+    runner = await create_runner()
     await runner.setup()
     site = web.TCPSite(runner, "0.0.0.0", 1812)
     await site.start()
diff --git a/service/docker-compose.yml b/service/docker-compose.yml
index 909e591..70c4732 100644
--- a/service/docker-compose.yml
+++ b/service/docker-compose.yml
@@ -4,5 +4,10 @@ services:
     build: .
     volumes:
       - ./data:/service/data:rw
+    environment:
+      - REDIS_HOST=fireworx-redis
+      - REDIS_PORT=6379
     ports:
       - "1812:1812"
+  fireworx-redis:
+    image: redis
diff --git a/service/run.sh b/service/entrypoint.sh
index 5daf45f..1086a76 100755
--- a/service/run.sh
+++ b/service/entrypoint.sh
@@ -10,4 +10,5 @@ while true; do
 	sleep 60
 done &
 
-python3 /service/app.py
+chmod -R 777 /service/data
+sudo -u cryptodude -E python3 /service/app.py
diff --git a/service/requirements.txt b/service/requirements.txt
index 78a68df..c82f52d 100644
--- a/service/requirements.txt
+++ b/service/requirements.txt
@@ -1,7 +1,8 @@
 aiohttp==3.8.3
-aiohttp_session==2.11.0
+aiohttp_session==2.12.0
+aioredis==2.0.1
 aiosqlite==0.17.0
-cryptography==38.0.1
+cryptography==38.0.2
 gmpy2==2.1.2
-numpy==1.23.3
 pycryptodome==3.15.0
+requests==2.25.1