B ¬]BZ¤/ã@s°dZddlZddlZddlmZddlmZddlmZddl m Z m Z m Z ddl mZmZddlmZdd lmZdd lmZdd l mZGd d „d eƒZGdd„deƒZdS)a werkzeug.contrib.securecookie ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module implements a cookie that is not alterable from the client because it adds a checksum the server checks for. You can use it as session replacement if all you have is a user id or something to mark a logged in user. Keep in mind that the data is still readable from the client as a normal cookie is. However you don't have to store and flush the sessions you have at the server. Example usage: >>> from werkzeug.contrib.securecookie import SecureCookie >>> x = SecureCookie({"foo": 42, "baz": (1, 2, 3)}, "deadbeef") Dumping into a string so that one can store it in a cookie: >>> value = x.serialize() Loading from that string again: >>> x = SecureCookie.unserialize(value, "deadbeef") >>> x["baz"] (1, 2, 3) If someone modifies the cookie and the checksum is wrong the unserialize method will fail silently and return a new empty `SecureCookie` object. Keep in mind that the values will be visible in the cookie so do not store data in a cookie you don't want the user to see. Application Integration ======================= If you are using the werkzeug request objects you could integrate the secure cookie into your application like this:: from werkzeug.utils import cached_property from werkzeug.wrappers import BaseRequest from werkzeug.contrib.securecookie import SecureCookie # don't use this key but a different one; you could just use # os.urandom(20) to get something random SECRET_KEY = '\xfa\xdd\xb8z\xae\xe0}4\x8b\xea' class Request(BaseRequest): @cached_property def client_session(self): data = self.cookies.get('session_data') if not data: return SecureCookie(secret_key=SECRET_KEY) return SecureCookie.unserialize(data, SECRET_KEY) def application(environ, start_response): request = Request(environ) # get a response object here response = ... if request.client_session.should_save: session_data = request.client_session.serialize() response.set_cookie('session_data', session_data, httponly=True) return response(environ, start_response) A less verbose integration can be achieved by using shorthand methods:: class Request(BaseRequest): @cached_property def client_session(self): return SecureCookie.load_cookie(self, secret_key=COOKIE_SECRET) def application(environ, start_response): request = Request(environ) # get a response object here response = ... request.client_session.save_cookie(response) return response(environ, start_response) :copyright: (c) 2014 by the Werkzeug Team, see AUTHORS for more details. :license: BSD, see LICENSE for more details. éN)Únew)Útime)Úsha1)Ú iteritemsÚ text_typeÚto_bytes)Úurl_quote_plusÚurl_unquote_plus)Ú _date_to_unix)ÚModificationTrackingDict)Ú safe_str_cmp)Ú to_nativec@seZdZdZdS)Ú UnquoteErrorz6Internal exception used to signal failures on quoting.N)Ú__name__Ú __module__Ú __qualname__Ú__doc__©rrú>> x = SecureCookie({"foo": 42, "baz": (1, 2, 3)}, "deadbeef") >>> x["foo"] 42 >>> x["baz"] (1, 2, 3) >>> x["blafasel"] = 23 >>> x.should_save True :param data: the initial data. Either a dict, list of tuples or `None`. :param secret_key: the secret key. If not set `None` or not specified it has to be set before :meth:`serialize` is called. :param new: The initial value of the `new` flag. TNcCs2t ||p d¡|dk r"t|dƒ}||_||_dS)Nrzutf-8)r Ú__init__rÚ secret_keyr)ÚselfÚdatarrrrrr–s  zSecureCookie.__init__cCs"d|jjt |¡|jrdpdfS)Nz <%s %s%s>Ú*Ú)Ú __class__rÚdictÚ__repr__Ú should_save)rrrrrŸszSecureCookie.__repr__cCs|jS)z‚True if the session should be saved. By default this is only true for :attr:`modified` cookies, not :attr:`new`. )Zmodified)rrrrr¦szSecureCookie.should_savecCs8|jdk r|j |¡}|jr4d t |¡ ¡¡ ¡}|S)zžQuote the value for the cookie. This can be any object supported by :attr:`serialization_method`. :param value: the value to quote. Nó)Úserialization_methodÚdumpsÚ quote_base64ÚjoinÚbase64Ú b64encodeÚ splitlinesÚstrip)ÚclsÚvaluerrrÚquote­s   zSecureCookie.quotecCsJy*|jrt |¡}|jdk r(|j |¡}|Stk rDtƒ‚YnXdS)zœUnquote the value for the cookie. If unquoting does not work a :exc:`UnquoteError` is raised. :param value: the value to unquote. N)r#r%Ú b64decoder!ÚloadsÚ Exceptionr)r)r*rrrÚunquoteºs   zSecureCookie.unquotecCs¬|jdkrtdƒ‚|r"t|ƒ|d<g}t|jd|jƒ}xRt| ¡ƒD]B\}}| dt|ƒ|  |¡  d¡f  d¡¡|  d|d¡qDWd  t | ¡¡ ¡d   |¡g¡S) a{Serialize the secure cookie into a string. If expires is provided, the session will be automatically invalidated after expiration when you unseralize it. This provides better protection against session cookie theft. :param expires: an optional expiration date for the cookie (a :class:`datetime.datetime` object) Nzno secret key definedÚ_expiresz%s=%sÚasciió|éÿÿÿÿó?ó&)rÚ RuntimeErrorr ÚhmacÚ hash_methodÚsortedÚitemsÚappendrr+ÚdecodeÚencodeÚupdater$r%r&Údigestr()rÚexpiresÚresultÚmacÚkeyr*rrrÚ serializeÍs  zSecureCookie.serializec Cs°t|tƒr| dd¡}t|tƒr,| dd¡}y| dd¡\}}Wnttfk r^d}YnFXi}t|d|jƒ}xv| d¡D]h}| d|¡d |kržd}P| d d¡\}} t |  d ¡ƒ}y t |ƒ}Wnt k rÜYnX| ||<q~Wyt  |¡} Wntk rd}} YnX|dk r t| | ¡ƒr y*x$t|ƒD]\}} | | ¡||<q>WWntk rvd}Yn(Xd |kr¤tƒ|d kr˜d}n|d =nd}|||d ƒS) zèLoad the secure cookie from a serialized string. :param string: the cookie value to unserialize. :param secret_key: the secret key used to serialize the cookie. :return: a new :class:`SecureCookie`. zutf-8Úreplacer4érNr5r2ó=r1r0F)Ú isinstancerr=ÚsplitÚ ValueErrorÚ IndexErrorr7r8r>r r<r Ú UnicodeErrorr%r,Ú TypeErrorr r?rr/rr) r)ÚstringrZ base64_hashrr:rBÚitemrCr*Z client_hashrrrÚ unserializeèsL         zSecureCookie.unserializeÚsessioncCs&|j |¡}|s||dS| ||¡S)aLoads a :class:`SecureCookie` from a cookie in request. If the cookie is not set, a new :class:`SecureCookie` instanced is returned. :param request: a request object that has a `cookies` attribute which is a dict of all cookie values. :param key: the name of the cookie. :param secret_key: the secret key used to unquote the cookie. Always provide the value even though it has no default! )r)ZcookiesÚgetrP)r)ZrequestrCrrrrrÚ load_cookies  zSecureCookie.load_cookieú/Fc Cs6| s |jr2| |p|¡} |j|| |||||| ddS)a=Saves the SecureCookie in a cookie on response object. All parameters that are not described here are forwarded directly to :meth:`~BaseResponse.set_cookie`. :param response: a response object that has a :meth:`~BaseResponse.set_cookie` method. :param key: the name of the cookie. :param session_expires: the expiration date of the secure cookie stored information. If this is not provided the cookie `expires` date is used instead. )r@Úmax_ageÚpathÚdomainÚsecureÚhttponlyN)rrDZ set_cookie) rZresponserCr@Zsession_expiresrUrVrWrXrYZforcerrrrÚ save_cookie1s   zSecureCookie.save_cookie)NNT)N)rQN) rQNNNrTNNFF)rrrrÚ staticmethodÚ _default_hashr8Úpickler!r#rrÚpropertyrÚ classmethodr+r/rDrPrSrZrrrrrns      7 r)rr]r%r7rrZhashlibrr\Zwerkzeug._compatrrrZ werkzeug.urlsrr Zwerkzeug._internalr Zwerkzeug.contrib.sessionsr Zwerkzeug.securityr r r.rrrrrrÚZs