Add "Alternative Token" handling for flask-login (see #699) (#701)

main/auth/auth.py

@@ -57,7 +57,7 @@ def key(self):
     return self.user_db.key.urlsafe()
 
   def get_id(self):
-    return self.user_db.key.urlsafe()
+    return unicode(self.user_db.session_token)
 
   def is_authenticated(self):
     return True
@@ -73,8 +73,8 @@ def has_permission(self, permission):
 
 
 @login_manager.user_loader
-def load_user(key):
-  user_db = ndb.Key(urlsafe=key).get()
+def load_user(session_token):
+  user_db = model.User.get_by('session_token', session_token)
   if user_db:
     return FlaskUser(user_db)
   return None
@@ -395,6 +395,7 @@ def create_user_db(auth_id, name, username, email='', verified=False, **props):
     auth_ids=[auth_id] if auth_id else [],
     verified=verified,
     token=util.uuid(),
+    session_token=util.uuid(),
     **props
   )
   user_db.put()

main/control/user.py

@@ -217,6 +217,7 @@ def user_reset(token=None):
   form = UserResetForm()
   if form.validate_on_submit():
     user_db.password_hash = util.password_hash(user_db, form.new_password.data)
+    user_db.session_token = util.uuid()
     user_db.token = util.uuid()
     user_db.verified = True
     user_db.put()
@@ -261,6 +262,7 @@ def user_activate(token):
   if form.validate_on_submit():
     form.populate_obj(user_db)
     user_db.password_hash = util.password_hash(user_db, form.password.data)
+    user_db.session_token = util.uuid()
     user_db.token = util.uuid()
     user_db.verified = True
     user_db.put()

main/model/user.py

@@ -25,6 +25,7 @@ class User(model.Base):
   verified = ndb.BooleanProperty(default=False)
   token = ndb.StringProperty(default='')
   password_hash = ndb.StringProperty(default='')
+  session_token = ndb.StringProperty(default='')
 
   def has_permission(self, perm):
     return self.admin or perm in self.permissions