Prevent accidentally setting remember token (#899)

Author: alanhamlett

.editorconfig

@@ -7,7 +7,7 @@ insert_final_newline = true
 trim_trailing_whitespace = true
 end_of_line = lf
 charset = utf-8
-max_line_length = 88
+max_line_length = 100
 
 [*.{yml,yaml,json,js,css,html}]
 indent_size = 2

.readthedocs.yaml

@@ -9,5 +9,6 @@ python:
     - method: pip
       path: .
 sphinx:
+  configuration: docs/conf.py
   builder: dirhtml
   fail_on_warning: true

pyproject.toml

@@ -63,6 +63,7 @@ src = ["src"]
 fix = true
 show-fixes = true
 show-source = true
+line-length = 100
 
 [tool.ruff.lint]
 select = [

src/flask_login/login_manager.py

@@ -326,9 +326,7 @@ def _load_user(self):
         if user is None:
             config = current_app.config
             cookie_name = config.get("REMEMBER_COOKIE_NAME", COOKIE_NAME)
-            has_cookie = (
-                cookie_name in request.cookies and session.get("_remember") != "clear"
-            )
+            has_cookie = cookie_name in request.cookies and session.get("_remember") != "clear"
             if has_cookie:
                 cookie = request.cookies[cookie_name]
                 user = self._load_user_from_remember_cookie(cookie)
@@ -389,23 +387,27 @@ def _load_user_from_request(self, request):
         return None
 
     def _update_remember_cookie(self, response):
-        # Don't modify the session unless there's something to do.
-        if "_remember" not in session and current_app.config.get(
-            "REMEMBER_COOKIE_REFRESH_EACH_REQUEST"
-        ):
-            session["_remember"] = "set"
+        config = current_app.config
+        cookie_name = config.get("REMEMBER_COOKIE_NAME", COOKIE_NAME)
+        has_cookie = cookie_name in request.cookies and session.get("_remember") != "clear"
+        refresh = current_app.config.get("REMEMBER_COOKIE_REFRESH_EACH_REQUEST") and has_cookie
 
-        if "_remember" in session:
-            operation = session.pop("_remember", None)
+        operation = session.pop("_remember", None)
+        if not operation and not refresh:
+            return response
 
-            if operation == "set" and "_user_id" in session:
-                self._set_cookie(response)
-            elif operation == "clear":
-                self._clear_cookie(response)
+        if operation == "clear":
+            self._clear_cookie(response)
+
+        if operation == "set" or refresh:
+            self._set_cookie(response)
 
         return response
 
     def _set_cookie(self, response):
+        if "_user_id" not in session:
+            return
+
         # cookie settings
         config = current_app.config
         cookie_name = config.get("REMEMBER_COOKIE_NAME", COOKIE_NAME)
@@ -431,8 +433,7 @@ def _set_cookie(self, response):
             expires = datetime.now(timezone.utc) + duration
         except TypeError as e:
             raise Exception(
-                "REMEMBER_COOKIE_DURATION must be a datetime.timedelta,"
-                f" instead got: {duration}"
+                f"REMEMBER_COOKIE_DURATION must be a datetime.timedelta, instead got: {duration}"
             ) from e
 
         # actually set it

src/flask_login/utils.py

@@ -126,9 +126,7 @@ def login_url(login_view, next_url=None, next_field="next"):
     md = parse_qs(parsed_result.query, keep_blank_values=True)
     md[next_field] = make_next_param(base, next_url)
     netloc = current_app.config.get("FORCE_HOST_FOR_REDIRECTS") or parsed_result.netloc
-    parsed_result = parsed_result._replace(
-        netloc=netloc, query=urlencode(md, doseq=True)
-    )
+    parsed_result = parsed_result._replace(netloc=netloc, query=urlencode(md, doseq=True))
     return urlunsplit(parsed_result)
 
 
@@ -191,8 +189,7 @@ def login_user(user, remember=False, duration=None, force=False, fresh=True):
             try:
                 # equal to timedelta.total_seconds() but works with Python 2.6
                 session["_remember_seconds"] = (
-                    duration.microseconds
-                    + (duration.seconds + duration.days * 24 * 3600) * 10**6
+                    duration.microseconds + (duration.seconds + duration.days * 24 * 3600) * 10**6
                 ) / 10.0**6
             except AttributeError as e:
                 raise Exception(

tests/test_login.py

@@ -185,6 +185,7 @@ def test_no_user_loader_raises(self):
 class MethodViewLoginTestCase(unittest.TestCase):
     def setUp(self):
         self.app = Flask(__name__)
+        self.app.config["SECRET_KEY"] = "deterministic"
         self.login_manager = LoginManager()
         self.login_manager.init_app(self.app)
 
@@ -709,9 +710,7 @@ def test_set_cookie_with_invalid_custom_duration_raises_exception(self):
             with self.app.test_request_context():
                 login_user(notch, remember=True, duration="123")
 
-        expected_exception_message = (
-            "duration must be a datetime.timedelta, instead got: 123"
-        )
+        expected_exception_message = "duration must be a datetime.timedelta, instead got: 123"
         self.assertIn(expected_exception_message, str(cm.exception))
 
     def test_remember_me_no_refresh_every_request(self):
@@ -732,7 +731,7 @@ def test_remember_me_refresh_each_request(self):
             now = datetime.now(timezone.utc)
             mock_dt.now = Mock(return_value=now)
 
-            domain = self.app.config["REMEMBER_COOKIE_DOMAIN"] = "localhost.local"
+            domain = self.app.config["REMEMBER_COOKIE_DOMAIN"] = "localhost"
             path = self.app.config["REMEMBER_COOKIE_PATH"] = "/"
             self.app.config["REMEMBER_COOKIE_REFRESH_EACH_REQUEST"] = True
             c = self.app.test_client()
@@ -886,9 +885,7 @@ def test_user_login_confirmed_signal_fired(self):
     def test_session_not_modified(self):
         with self.app.test_client() as c:
             # Within the request we think we didn't modify the session.
-            self.assertEqual(
-                "modified=False", c.get("/empty_session").data.decode("utf-8")
-            )
+            self.assertEqual("modified=False", c.get("/empty_session").data.decode("utf-8"))
             # But after the request, the session could be modified by the
             # "after_request" handlers that call _update_remember_cookie.
             # Ensure that if nothing changed the session is not modified.
@@ -1260,25 +1257,19 @@ def test_make_next_param(self):
             url = make_next_param("https://localhost/login", "http://localhost/profile")
             self.assertEqual("http://localhost/profile", url)
 
-            url = make_next_param(
-                "http://accounts.localhost/login", "http://localhost/profile"
-            )
+            url = make_next_param("http://accounts.localhost/login", "http://localhost/profile")
             self.assertEqual("http://localhost/profile", url)
 
     def test_login_url_generation(self):
         with self.app.test_request_context():
             PROTECTED = "http://localhost/protected"
 
-            self.assertEqual(
-                "/login?n=%2Fprotected", login_url("/login", PROTECTED, "n")
-            )
+            self.assertEqual("/login?n=%2Fprotected", login_url("/login", PROTECTED, "n"))
 
             url = login_url("/login", PROTECTED)
             self.assertEqual("/login?next=%2Fprotected", url)
 
-            expected = (
-                "https://auth.localhost/login?next=http%3A%2F%2Flocalhost%2Fprotected"
-            )
+            expected = "https://auth.localhost/login?next=http%3A%2F%2Flocalhost%2Fprotected"
             result = login_url("https://auth.localhost/login", PROTECTED)
             self.assertEqual(expected, result)
 
@@ -1290,9 +1281,7 @@ def test_login_url_generation(self):
 
     def test_login_url_generation_with_view(self):
         with self.app.test_request_context():
-            self.assertEqual(
-                "/login?next=%2Fprotected", login_url("login", "/protected")
-            )
+            self.assertEqual("/login?next=%2Fprotected", login_url("login", "/protected"))
 
     def test_login_url_no_next_url(self):
         self.assertEqual(login_url("/foo"), "/foo")