feat: integrate django-session-security (#197)

* feat: integrate django-session-security * fix: handle session and csrf secure cookie
Healthlane-Technologies · Apr 29, 2024 · 5d30188 · 5d30188
1 parent 12c22f1
commit 5d30188
Show file tree

Hide file tree

Showing 7 changed files with 45 additions and 8 deletions.
diff --git a/backend/requirements/base.txt b/backend/requirements/base.txt
@@ -1,4 +1,4 @@
-django>=3.0
+django==4.2.11
 psycopg2-binary
 django-tenants
 djangorestframework
@@ -27,4 +27,5 @@ XlsxWriter==3.1.9
 pydub==0.25.1
 django-celery-results==2.5.1
 django-environ==0.11.2
-pytz==2024.1
+pytz==2024.1
+django-session-security==2.6.7
diff --git a/backend/src/zelthy/apps/shared/tenancy/templates/app_panel.html b/backend/src/zelthy/apps/shared/tenancy/templates/app_panel.html
@@ -18,6 +18,8 @@
     var csrf_token = "{{ csrf_token }}";
   </script>
   <script src="{% static 'app_panel/js/build.v1.0.44.min.js' %}"></script>
+  <script src="{% static 'js/jquery/3.7.1/jquery.min.js' %}"></script>
+  {% include 'session_security/all.html' %}
 </body>
 
 </html>
diff --git a/backend/src/zelthy/assets/js/jquery/3.7.1/jquery.min.js b/backend/src/zelthy/assets/js/jquery/3.7.1/jquery.min.js
diff --git a/backend/src/zelthy/cli/project_template/project_name/settings.py b/backend/src/zelthy/cli/project_template/project_name/settings.py
@@ -7,7 +7,11 @@
 BASE_DIR = Path(__file__).resolve().parent.parent
 
 env = environ.Env(
-    DEBUG=(bool, True), REDIS_HOST=(str, "127.0.0.1"), REDIS_PORT=(str, "6379")
+    DEBUG=(bool, True),
+    REDIS_HOST=(str, "127.0.0.1"),
+    REDIS_PORT=(str, "6379"),
+    SESSION_SECURITY_WARN_AFTER=(int, 1700),
+    SESSION_SECURITY_EXPIRE_AFTER=(int, 1800),
 )
 environ.Env.read_env(os.path.join(BASE_DIR.parent, ".env"))
 
@@ -116,3 +120,13 @@
 STATIC_ROOT = os.path.join(BASE_DIR, "static")
 STATIC_URL = "static/"
 STATICFILES_DIRS += [os.path.join(BASE_DIR, "assets")]
+
+# Session Security
+SESSION_SECURITY_WARN_AFTER = env("SESSION_SECURITY_WARN_AFTER")
+SESSION_SECURITY_EXPIRE_AFTER = env("SESSION_SECURITY_EXPIRE_AFTER")
+
+if DEBUG or ENV == "dev":
+    # Disable secure cookies in development or debugging environments
+    # to simplify troubleshooting and testing.
+    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = False
diff --git a/backend/src/zelthy/config/settings/base.py b/backend/src/zelthy/config/settings/base.py
@@ -29,7 +29,7 @@
     # 'django_otp.plugins.otp_static',
     # 'django_otp.plugins.otp_totp',
     # 'axes',
-    # 'session_security',
+    "session_security",
     "django_celery_beat",
     "django_celery_results",
     "rest_framework",
@@ -75,6 +75,7 @@
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "session_security.middleware.SessionSecurityMiddleware",
     "zelthy.middleware.request.UserRoleAndAppObjectAssignmentMiddleware",
     # 'zelthy.middleware.middleware.SetUserRoleMiddleWare',
     "django.contrib.messages.middleware.MessageMiddleware",
@@ -144,8 +145,8 @@
 CRISPY_TEMPLATE_PACK = "bootstrap5"
 
 SESSION_COOKIE_NAME = "zelthycookie"
-SESSION_COOKIE_SECURE = False  # To be changed for prod settings
-CSRF_COOKIE_SECURE = False  # To be changed for prod settings
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
 
 LOGOUT_REDIRECT_URL = "/admin/login"
 
@@ -163,3 +164,15 @@
 
 PACKAGE_BUCKET_NAME = "zelthy3-packages"
 CODEASSIST_ENABLED = True
+
+# Session Security
+SESSION_EXPIRE_AT_BROWSER_CLOSE = True
+SESSION_SECURITY_WARN_AFTER = 1700
+SESSION_SECURITY_EXPIRE_AFTER = 1800
+
+# List of url names that should be ignored by the session security middleware.
+# For example the request of history_sidebar is made without user intervention,
+# as such it should not be used to update the user’s last activity datetime.
+SESSION_SECURITY_PASSIVE_URL_NAMES = [
+    "history_sidebar",
+]
diff --git a/backend/src/zelthy/config/urls_public.py b/backend/src/zelthy/config/urls_public.py
@@ -17,6 +17,7 @@
     re_path(r"^admin/", admin.site.urls),
     re_path(r"^api/", include("zelthy.api.platform.urls")),
     re_path(r"api/auth/", include("knox.urls")),
+    re_path(r"session_security/", include("session_security.urls")),
     re_path(r"^", include("zelthy.apps.shared.tenancy.urls")),
 ]
 if settings.DEBUG:

diff --git a/backend/src/zelthy/config/urls_tenants.py b/backend/src/zelthy/config/urls_tenants.py
@@ -7,12 +7,16 @@
     re_path(r"^", include("zelthy.apps.appauth.urls")),
     re_path(r"api/auth/", include("knox.urls")),
     re_path(r"api/", include("zelthy.api.app_auth.urls")),
-    path("__debug__/", include("debug_toolbar.urls")),
-    re_path(r"^((?:[\w\-:.,]+/)*)$", include("zelthy.apps.dynamic_models.urls")),
+    re_path(r"session_security/", include("session_security.urls")),
 ]
 
 if settings.DEBUG:
     urlpatterns += [
         path("__debug__/", include("debug_toolbar.urls")),
     ]
     urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
+
+# include dynamic views
+urlpatterns += [
+    re_path(r"^((?:[\w\-:.,]+/)*)$", include("zelthy.apps.dynamic_models.urls")),
+]