Use app init enc key by default for all queries

This can be updated later to allow users with cookies enabled to use a key that is unique to their session (if they want, not mandatory), but for now it makes more sense to just use a single key for all queries from all users. This should eliminate a lot of issues that users have reported where they are unable to decrypt queries or page elements due to an expired/renewed session key.
1 year ago · 0310f0f542
parent 1226b8db9c
commit 0310f0f542
6 changed files with 26 additions and 24 deletions
--- a/app/init.py
+++ b/app/init.py
@ -1,6 +1,6 @@
 from app.filter import clean_query
 from app.request import send_tor_signal
-from app.utils.session import generate_user_key
+from app.utils.session import generate_key
 from app.utils.bangs import gen_bangs_json
 from app.utils.misc import gen_file_hash, read_config_bool
 from base64 import b64encode
@ -31,7 +31,7 @@ dot_env_path = (
 if read_config_bool('WHOOGLE_DOTENV'):
    load_dotenv(dot_env_path)

-app.default_key = generate_user_key()
+app.enc_key = generate_key()

 if read_config_bool('HTTPS_ONLY'):
    app.config['SESSION_COOKIE_NAME'] = '__Secure-session'
--- a/app/routes.py
+++ b/app/routes.py
@ -22,7 +22,7 @@ from app.utils.misc import read_config_bool, get_client_ip, get_request_url, \
 from app.utils.results import add_ip_card, bold_search_terms,\
    add_currency_card, check_currency, get_tabs_content
 from app.utils.search import Search, needs_https, has_captcha
-from app.utils.session import generate_user_key, valid_user_session
+from app.utils.session import valid_user_session
 from bs4 import BeautifulSoup as bsoup
 from flask import jsonify, make_response, request, redirect, render_template, \
    send_file, session, url_for, g
@ -67,11 +67,16 @@ def auth_required(f):
 def session_required(f):
    @wraps(f)
    def decorated(*args, **kwargs):
-        if (valid_user_session(session)):
-            g.session_key = session['key']
-        else:
+        if not valid_user_session(session):
            session.pop('_permanent', None)
-            g.session_key = app.default_key
+
+        # Note: This sets all requests to use the encryption key determined per
+        # instance on app init. This can be updated in the future to use a key
+        # that is unique for their session (session['key']) but this should use
+        # a config setting to enable the session based key. Otherwise there can
+        # be problems with searches performed by users with cookies blocked if
+        # a session based key is always used.
+        g.session_key = app.enc_key

        # Clear out old sessions
        invalid_sessions = []
@ -130,14 +135,17 @@ def before_request_func():
        if os.path.exists(app.config['DEFAULT_CONFIG']) else {}

    # Generate session values for user if unavailable
-    if (not valid_user_session(session)):
+    if not valid_user_session(session):
        session['config'] = default_config
        session['uuid'] = str(uuid.uuid4())
-        session['key'] = generate_user_key()
+        session['key'] = app.enc_key

    # Establish config values per user session
    g.user_config = Config(**session['config'])

+    # Update user config if specified in search args
+    g.user_config = g.user_config.from_params(g.request_params)
+
    if not g.user_config.url:
        g.user_config.url = get_request_url(request.url_root)

@ -193,9 +201,6 @@ def index():
        session['error_message'] = ''
        return render_template('error.html', error_message=error_message)

-    # Update user config if specified in search args
-    g.user_config = g.user_config.from_params(g.request_params)
-
    return render_template('index.html',
                           has_update=app.config['HAS_UPDATE'],
                           languages=app.config['LANGUAGES'],
@ -283,9 +288,6 @@ def autocomplete():
@session_required
@auth_required
 def search():
-    # Update user config if specified in search args
-    g.user_config = g.user_config.from_params(g.request_params)
-
    search_util = Search(request, g.user_config, g.session_key)
    query = search_util.new_search_query()

--- a/app/utils/session.py
+++ b/app/utils/session.py
@ -4,7 +4,7 @@ from flask import current_app as app
 REQUIRED_SESSION_VALUES = ['uuid', 'config', 'key']


-def generate_user_key() -> bytes:
+def generate_key() -> bytes:
    """Generates a key for encrypting searches and element URLs

    Args:
--- a/test/conftest.py
+++ b/test/conftest.py
@ -1,5 +1,5 @@
 from app import app
-from app.utils.session import generate_user_key
+from app.utils.session import generate_key
 import pytest
 import random

@ -18,6 +18,6 @@ def client():
    with app.test_client() as client:
        with client.session_transaction() as session:
            session['uuid'] = 'test'
-            session['key'] = generate_user_key()
+            session['key'] = app.enc_key
            session['config'] = {}
        yield client
--- a/test/test_misc.py
+++ b/test/test_misc.py
@ -2,7 +2,7 @@ from cryptography.fernet import Fernet

 from app import app
 from app.models.endpoint import Endpoint
-from app.utils.session import generate_user_key, valid_user_session
+from app.utils.session import generate_key, valid_user_session


 JAPAN_PREFS = 'uG-gGIJwHdqxl6DrS3mnu_511HlQcRpxYlG03Xs-' \
@ -20,9 +20,9 @@ JAPAN_PREFS = 'uG-gGIJwHdqxl6DrS3mnu_511HlQcRpxYlG03Xs-' \


 def test_generate_user_keys():
-    key = generate_user_key()
+    key = generate_key()
    assert Fernet(key)
-    assert generate_user_key() != key
+    assert generate_key() != key


 def test_valid_session(client):
--- a/test/test_results.py
+++ b/test/test_results.py
@ -2,7 +2,7 @@ from bs4 import BeautifulSoup
 from app.filter import Filter
 from app.models.config import Config
 from app.models.endpoint import Endpoint
-from app.utils.session import generate_user_key
+from app.utils.session import generate_key
 from datetime import datetime
 from dateutil.parser import ParserError, parse
 from urllib.parse import urlparse
@ -11,7 +11,7 @@ from test.conftest import demo_config


 def get_search_results(data):
-    secret_key = generate_user_key()
+    secret_key = generate_key()
    soup = Filter(user_key=secret_key, config=Config(**demo_config)).clean(
        BeautifulSoup(data, 'html.parser'))

@ -132,7 +132,7 @@ def test_leading_slash_search(client):
    assert rv._status_code == 200

    soup = Filter(
-        user_key=generate_user_key(),
+        user_key=generate_key(),
        config=Config(**demo_config),
        query=q
    ).clean(BeautifulSoup(rv.data, 'html.parser'))