Initial commit

Author: ViktorStiskala

.gitignore

@@ -0,0 +1,2 @@
+*.egg-info
+__pycache__/

setup.py

@@ -0,0 +1,26 @@
+# coding=utf-8
+import os
+from setuptools import setup
+
+# allow setup.py to be run from any path
+os.chdir(os.path.normpath(os.path.join(os.path.abspath(__file__), os.pardir)))
+
+setup(
+    name='django-shared-session',
+    version='0.1',
+    packages=['shared_session'],
+    include_package_data=True,
+    license='MPL',
+    description='A tool for cross domain Django session sharing',
+    author='Viktor Stískala',
+    author_email='viktor@stiskala.cz',
+    install_requires=['django>=1.7', 'python-dateutil>=2.5'],
+    classifiers=[
+        'Intended Audience :: Developers',
+        'Operating System :: OS Independent',
+        'Programming Language :: Python',
+        'Programming Language :: Python :: 3 :: Only',
+        'Topic :: Software Development :: Libraries',
+        'Topic :: Software Development :: Libraries :: Python Modules',
+    ],
+)

shared_session/__init__.py

@@ -0,0 +1,8 @@
+from django.conf.urls import url
+from . import views
+
+urlpatterns = [
+    url(r'^(?P<message>.+).js$', views.shared_session_view, name='share'),
+]
+
+urls = urlpatterns, 'shared_session', 'shared_session'

shared_session/signals.py

@@ -0,0 +1,4 @@
+import django.dispatch
+
+
+session_replaced = django.dispatch.Signal(providing_args=['request', 'src_domain', 'dest_domain', 'was_empty'])

shared_session/templatetags/__init__.py

@@ -0,0 +1,75 @@
+import copy
+import json
+from urllib.parse import urljoin
+
+import nacl.secret
+import nacl.utils
+from django import template
+from django.conf import settings
+from django.contrib.sessions.backends.base import UpdateError
+from django.urls import reverse
+from django.utils import timezone
+from django.utils.http import urlsafe_base64_encode
+
+register = template.Library()
+
+
+@register.tag
+def shared_session_loader(parser, token):
+    return LoaderNode()
+
+
+class LoaderNode(template.Node):
+    template = template.Template('{% for path in domains %}<script src="{{ path }}" async></script>{% endfor %}')
+
+    def __init__(self):
+        self.encryption_key = settings.SECRET_KEY.encode('ascii')[:nacl.secret.SecretBox.KEY_SIZE]
+        super().__init__()
+
+    def get_domains(self, request):
+        host = request.META['HTTP_HOST']
+
+        # Build domain list, with support for subdomains
+        domains = copy.copy(settings.SHARED_SESSION_SITES)
+        for domain in settings.SHARED_SESSION_SITES:
+            if host.endswith(domain):
+                domains.remove(domain)
+
+        return domains
+
+    def ensure_session_key(self, request):
+        if not request.session.session_key:
+            request.session.save()
+
+    def encrypt_payload(self, data):
+        box = nacl.secret.SecretBox(self.encryption_key)
+        nonce = nacl.utils.random(nacl.secret.SecretBox.NONCE_SIZE)
+
+        message = json.dumps(data).encode('ascii')
+        return box.encrypt(message, nonce)
+
+    def get_message(self, request, domain):
+        return urlsafe_base64_encode(self.encrypt_payload({
+            'key': request.session.session_key,
+            'src': request.META['HTTP_HOST'],
+            'dst': domain,
+            'ts': timezone.now().isoformat()
+        }))
+
+    def build_url(self, domain, message):
+        return urljoin(domain, reverse('shared_session:share', kwargs={'message': message}))
+
+    def render(self, context):
+        request = context['request']
+
+        if request.session.is_empty():
+            return ''
+
+        try:
+            self.ensure_session_key(request)
+
+            return self.template.render(template.Context({
+                'domains': [self.build_url(domain='{}://{}'.format(request.scheme, domain), message=self.get_message(request, domain)) for domain in self.get_domains(request)]
+            }))
+        except UpdateError:
+            return ''

shared_session/templatetags/shared_session.py

@@ -0,0 +1,63 @@
+import time
+import json
+import nacl.secret
+from dateutil.parser import parse
+
+from django.conf import settings
+from django.http.response import HttpResponse
+from django.utils import timezone
+from django.utils.http import cookie_date, urlsafe_base64_decode
+from django.views import View
+from nacl.exceptions import CryptoError
+from . import signals
+
+
+class SharedSessionView(View):
+    def __init__(self, **kwargs):
+        self.encryption_key = settings.SECRET_KEY.encode('ascii')[:nacl.secret.SecretBox.KEY_SIZE]
+        super().__init__(**kwargs)
+
+    def decrypt_payload(self, message):
+        box = nacl.secret.SecretBox(self.encryption_key)
+
+        data = box.decrypt(message).decode('ascii')
+        return json.loads(data)
+
+    def get(self, request, *args, **kwargs):
+        response = HttpResponse('', content_type='text/javascript')
+        try:
+            message = self.decrypt_payload(urlsafe_base64_decode(kwargs.get('message')))
+
+            is_session_empty = request.session.is_empty()
+
+            # replace session cookie only when session is empty or when always replace is set
+            if is_session_empty or getattr(settings, 'SHARED_SESSION_ALWAYS_REPLACE', False):
+                http_host = request.META['HTTP_HOST']
+
+                if (timezone.now() - parse(message['ts'])).total_seconds() < getattr(settings, 'SHARED_SESSION_TIMEOUT', 30):
+                    if request.session.get_expire_at_browser_close():
+                        max_age = None
+                        expires = None
+                    else:
+                        max_age = request.session.get_expiry_age()
+                        expires_time = time.time() + max_age
+                        expires = cookie_date(expires_time)
+
+                    response.set_cookie(
+                        settings.SESSION_COOKIE_NAME,
+                        message['key'], max_age=max_age,
+                        expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
+                        path=settings.SESSION_COOKIE_PATH,
+                        secure=settings.SESSION_COOKIE_SECURE or None,
+                        httponly=settings.SESSION_COOKIE_HTTPONLY or None,
+                    )
+
+                    # emit signal
+                    signals.session_replaced.send(sender=self.__class__, request=request, was_empty=is_session_empty, src_domain=message['src'], dst_domain=http_host)
+        except (CryptoError, ValueError):
+            pass
+
+        return response
+
+
+shared_session_view = SharedSessionView.as_view()