From 0310f0f5421cb3984f947bb549866c1e0457ae5b Mon Sep 17 00:00:00 2001
From: Ben Busby <contact@benbusby.com>
Date: Mon, 5 Dec 2022 12:14:14 -0700
Subject: [PATCH] Use app init enc key by default for all queries

This can be updated later to allow users with cookies enabled to use a
key that is unique to their session (if they want, not mandatory), but
for now it makes more sense to just use a single key for all queries
from all users. This should eliminate a lot of issues that users have
reported where they are unable to decrypt queries or page elements due
to an expired/renewed session key.
---
 app/__init__.py      |  4 ++--
 app/routes.py        | 28 +++++++++++++++-------------
 app/utils/session.py |  2 +-
 test/conftest.py     |  4 ++--
 test/test_misc.py    |  6 +++---
 test/test_results.py |  6 +++---
 6 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index a9b6f81..a2ef043 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -1,6 +1,6 @@
 from app.filter import clean_query
 from app.request import send_tor_signal
-from app.utils.session import generate_user_key
+from app.utils.session import generate_key
 from app.utils.bangs import gen_bangs_json
 from app.utils.misc import gen_file_hash, read_config_bool
 from base64 import b64encode
@@ -31,7 +31,7 @@ dot_env_path = (
 if read_config_bool('WHOOGLE_DOTENV'):
     load_dotenv(dot_env_path)
 
-app.default_key = generate_user_key()
+app.enc_key = generate_key()
 
 if read_config_bool('HTTPS_ONLY'):
     app.config['SESSION_COOKIE_NAME'] = '__Secure-session'
diff --git a/app/routes.py b/app/routes.py
index c1bb56b..d48a387 100644
--- a/app/routes.py
+++ b/app/routes.py
@@ -22,7 +22,7 @@ from app.utils.misc import read_config_bool, get_client_ip, get_request_url, \
 from app.utils.results import add_ip_card, bold_search_terms,\
     add_currency_card, check_currency, get_tabs_content
 from app.utils.search import Search, needs_https, has_captcha
-from app.utils.session import generate_user_key, valid_user_session
+from app.utils.session import valid_user_session
 from bs4 import BeautifulSoup as bsoup
 from flask import jsonify, make_response, request, redirect, render_template, \
     send_file, session, url_for, g
@@ -67,11 +67,16 @@ def auth_required(f):
 def session_required(f):
     @wraps(f)
     def decorated(*args, **kwargs):
-        if (valid_user_session(session)):
-            g.session_key = session['key']
-        else:
+        if not valid_user_session(session):
             session.pop('_permanent', None)
-            g.session_key = app.default_key
+
+        # Note: This sets all requests to use the encryption key determined per
+        # instance on app init. This can be updated in the future to use a key
+        # that is unique for their session (session['key']) but this should use
+        # a config setting to enable the session based key. Otherwise there can
+        # be problems with searches performed by users with cookies blocked if
+        # a session based key is always used.
+        g.session_key = app.enc_key
 
         # Clear out old sessions
         invalid_sessions = []
@@ -130,14 +135,17 @@ def before_request_func():
         if os.path.exists(app.config['DEFAULT_CONFIG']) else {}
 
     # Generate session values for user if unavailable
-    if (not valid_user_session(session)):
+    if not valid_user_session(session):
         session['config'] = default_config
         session['uuid'] = str(uuid.uuid4())
-        session['key'] = generate_user_key()
+        session['key'] = app.enc_key
 
     # Establish config values per user session
     g.user_config = Config(**session['config'])
 
+    # Update user config if specified in search args
+    g.user_config = g.user_config.from_params(g.request_params)
+
     if not g.user_config.url:
         g.user_config.url = get_request_url(request.url_root)
 
@@ -193,9 +201,6 @@ def index():
         session['error_message'] = ''
         return render_template('error.html', error_message=error_message)
 
-    # Update user config if specified in search args
-    g.user_config = g.user_config.from_params(g.request_params)
-
     return render_template('index.html',
                            has_update=app.config['HAS_UPDATE'],
                            languages=app.config['LANGUAGES'],
@@ -283,9 +288,6 @@ def autocomplete():
 @session_required
 @auth_required
 def search():
-    # Update user config if specified in search args
-    g.user_config = g.user_config.from_params(g.request_params)
-
     search_util = Search(request, g.user_config, g.session_key)
     query = search_util.new_search_query()
 
diff --git a/app/utils/session.py b/app/utils/session.py
index 7aea933..8e1156b 100644
--- a/app/utils/session.py
+++ b/app/utils/session.py
@@ -4,7 +4,7 @@ from flask import current_app as app
 REQUIRED_SESSION_VALUES = ['uuid', 'config', 'key']
 
 
-def generate_user_key() -> bytes:
+def generate_key() -> bytes:
     """Generates a key for encrypting searches and element URLs
 
     Args:
diff --git a/test/conftest.py b/test/conftest.py
index 64e49f5..a91a803 100644
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -1,5 +1,5 @@
 from app import app
-from app.utils.session import generate_user_key
+from app.utils.session import generate_key
 import pytest
 import random
 
@@ -18,6 +18,6 @@ def client():
     with app.test_client() as client:
         with client.session_transaction() as session:
             session['uuid'] = 'test'
-            session['key'] = generate_user_key()
+            session['key'] = app.enc_key
             session['config'] = {}
         yield client
diff --git a/test/test_misc.py b/test/test_misc.py
index 3d364af..bd923c3 100644
--- a/test/test_misc.py
+++ b/test/test_misc.py
@@ -2,7 +2,7 @@ from cryptography.fernet import Fernet
 
 from app import app
 from app.models.endpoint import Endpoint
-from app.utils.session import generate_user_key, valid_user_session
+from app.utils.session import generate_key, valid_user_session
 
 
 JAPAN_PREFS = 'uG-gGIJwHdqxl6DrS3mnu_511HlQcRpxYlG03Xs-' \
@@ -20,9 +20,9 @@ JAPAN_PREFS = 'uG-gGIJwHdqxl6DrS3mnu_511HlQcRpxYlG03Xs-' \
 
 
 def test_generate_user_keys():
-    key = generate_user_key()
+    key = generate_key()
     assert Fernet(key)
-    assert generate_user_key() != key
+    assert generate_key() != key
 
 
 def test_valid_session(client):
diff --git a/test/test_results.py b/test/test_results.py
index 994102b..d36f2a5 100644
--- a/test/test_results.py
+++ b/test/test_results.py
@@ -2,7 +2,7 @@ from bs4 import BeautifulSoup
 from app.filter import Filter
 from app.models.config import Config
 from app.models.endpoint import Endpoint
-from app.utils.session import generate_user_key
+from app.utils.session import generate_key
 from datetime import datetime
 from dateutil.parser import ParserError, parse
 from urllib.parse import urlparse
@@ -11,7 +11,7 @@ from test.conftest import demo_config
 
 
 def get_search_results(data):
-    secret_key = generate_user_key()
+    secret_key = generate_key()
     soup = Filter(user_key=secret_key, config=Config(**demo_config)).clean(
         BeautifulSoup(data, 'html.parser'))
 
@@ -132,7 +132,7 @@ def test_leading_slash_search(client):
     assert rv._status_code == 200
 
     soup = Filter(
-        user_key=generate_user_key(),
+        user_key=generate_key(),
         config=Config(**demo_config),
         query=q
     ).clean(BeautifulSoup(rv.data, 'html.parser'))