Skip to content

edit: assert xtoken equality #419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 3, 2025
Merged

edit: assert xtoken equality #419

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 5 additions & 11 deletions scratchattach/site/session.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,6 @@
from contextlib import contextmanager
from threading import local

# import secrets
# import zipfile
# from typing import Type
Type = type

if TYPE_CHECKING:
Expand Down Expand Up @@ -910,6 +907,7 @@ def connect_user_by_id(self, user_id: int) -> user.User:
Returns:
scratchattach.user.User: An object that represents the requested user and allows you to perform actions on the user (like user.follow)
"""
# noinspection PyDeprecation
return self._make_linked_object("username", self.find_username_from_id(user_id), user.User,
exceptions.UserNotFound)

Expand Down Expand Up @@ -1131,21 +1129,18 @@ def login_by_id(session_id: str, *, username: Optional[str] = None, password: Op
scratchattach.session.Session: An object that represents the created login / session
"""
# Generate session_string (a scratchattach-specific authentication method)
# should this be changed to a @property?
issue_login_warning()
if password is not None:
session_data = dict(id=session_id, username=username, password=password)
session_string = base64.b64encode(json.dumps(session_data).encode()).decode()
else:
session_string = None

if xtoken is not None:
# todo: consider removing the xtoken parameter?
warnings.warn("xtoken is redundant because it is retrieved by decoding the session id.")

_session = Session(id=session_id, username=username, session_string=session_string)

# xtoken is decoded from sessid, so don't use sess.update
# but this will cause incompatibilities, warranting a change in the 2nd (semver) version number
if xtoken is not None:
# xtoken is retrievable from session id, so the most we can do is assert equality
assert xtoken == _session.xtoken

return _session

Expand Down Expand Up @@ -1176,7 +1171,6 @@ def login(username, password, *, timeout=10) -> Session:
with requests.no_error_handling():
request = requests.post(
"https://scratch.mit.edu/login/", json={"username": username, "password": password}, headers=_headers,

timeout=timeout
)
try:
Expand Down