Fix various application issues, especially session storage

Author: khteh

Pipfile

@@ -23,6 +23,7 @@ quart-flask-patch = "*"
 aioquic = "*"
 psycopg-pool = "*"
 psycopg = {extras = ["binary"], version = "*"}
+jsonpickle = "*"
 
 [dev-packages]
 pytest-flask = "*"

Pipfile.lock

@@ -46,6 +46,8 @@ $ pipenv install --python=/path/to/python
 
 ## Database Migration
 
+- Copy `env.py` to `migrations/` folder.
+- Set the values -f `DB_foo` in `/etc/pythonrestapi_config.json`
 - run migrations initialization with db init command:
 
   ```

README.md

@@ -35,7 +35,7 @@
 config.set_section_option(section, "DB_PASSWORD", urllib.parse.quote_plus(json_config['DB_PASSWORD']).replace("%", "%%"))
 config.set_section_option(section, "DB_HOST", json_config["DB_HOST"])
 config.set_section_option(section, "DB_DATABASE", json_config["DB_DATABASE"])
-def run_migrations_offline():
+def run_migrations_offline() -> None:
     """Run migrations in 'offline' mode.
 
     This configures the context with just a URL
@@ -59,15 +59,15 @@ def run_migrations_offline():
         context.run_migrations()
 
 
-def run_migrations_online():
+def run_migrations_online() -> None:
     """Run migrations in 'online' mode.
 
     In this scenario we need to create an Engine
     and associate a connection with the context.
 
     """
     connectable = engine_from_config(
-        config.get_section(config.config_ini_section),
+        config.get_section(config.config_ini_section, {}),
         prefix="sqlalchemy.",
         poolclass=pool.NullPool,
     )

env.py

@@ -35,7 +35,8 @@
 config.set_section_option(section, "DB_PASSWORD", urllib.parse.quote_plus(json_config['DB_PASSWORD']).replace("%", "%%"))
 config.set_section_option(section, "DB_HOST", json_config["DB_HOST"])
 config.set_section_option(section, "DB_DATABASE", json_config["DB_DATABASE"])
-def run_migrations_offline():
+
+def run_migrations_offline() -> None:
     """Run migrations in 'offline' mode.
 
     This configures the context with just a URL
@@ -59,15 +60,15 @@ def run_migrations_offline():
         context.run_migrations()
 
 
-def run_migrations_online():
+def run_migrations_online() -> None:
     """Run migrations in 'online' mode.
 
     In this scenario we need to create an Engine
     and associate a connection with the context.
 
     """
     connectable = engine_from_config(
-        config.get_section(config.config_ini_section),
+        config.get_section(config.config_ini_section, {}),
         prefix="sqlalchemy.",
         poolclass=pool.NullPool,
     )

migrations/env.py

@@ -5,20 +5,24 @@ Revises: ${down_revision | comma,n}
 Create Date: ${create_date}
 
 """
+from typing import Sequence, Union
+
 from alembic import op
 import sqlalchemy as sa
 ${imports if imports else ""}
 
 # revision identifiers, used by Alembic.
-revision = ${repr(up_revision)}
-down_revision = ${repr(down_revision)}
-branch_labels = ${repr(branch_labels)}
-depends_on = ${repr(depends_on)}
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
 
 
 def upgrade() -> None:
+    """Upgrade schema."""
     ${upgrades if upgrades else "pass"}
 
 
 def downgrade() -> None:
+    """Downgrade schema."""
     ${downgrades if downgrades else "pass"}

migrations/script.py.mako

@@ -1,22 +1,25 @@
 """Initial migration
 
-Revision ID: a4691bb6ae7d
+Revision ID: 0c9d8b840acc
 Revises: 
-Create Date: 2022-10-01 15:11:29.047624
+Create Date: 2025-03-19 14:01:32.354283
 
 """
+from typing import Sequence, Union
+
 from alembic import op
 import sqlalchemy as sa
 
 
 # revision identifiers, used by Alembic.
-revision = 'a4691bb6ae7d'
-down_revision = None
-branch_labels = None
-depends_on = None
+revision: str = '0c9d8b840acc'
+down_revision: Union[str, None] = None
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
 
 
 def upgrade() -> None:
+    """Upgrade schema."""
     # ### commands auto generated by Alembic - please adjust! ###
     op.create_table('authors',
     sa.Column('id', sa.Integer(), nullable=False),
@@ -59,6 +62,7 @@ def upgrade() -> None:
 
 
 def downgrade() -> None:
+    """Downgrade schema."""
     # ### commands auto generated by Alembic - please adjust! ###
     op.drop_table('books')
     op.drop_index(op.f('ix_users_phone'), table_name='users')

migrations/versions/a4691bb6ae7d_initial_migration.py renamed to migrations/versions/0c9d8b840acc_initial_migration.py

@@ -1,5 +1,5 @@
-import jwt, logging
-from datetime import datetime, timezone
+import jwt, logging, jsonpickle
+from datetime import datetime, timezone, timedelta
 from quart import json, Response, session, redirect, url_for, session, abort, current_app
 #from flask_oidc import OpenIDConnect
 from functools import wraps
@@ -23,7 +23,7 @@ def generate_token(user_id):
                 now = datetime.now(timezone.utc)
                 # https://pyjwt.readthedocs.io/en/latest/usage.html#registered-claim-names
                 payload = {
-                    "exp": now + datetime.timedelta(hours=1),
+                    "exp": now + timedelta(hours=1),
                     "iat": now,
                     "nbf": now,
                     "iss": "urn:PythonFlaskRestAPI",
@@ -73,11 +73,14 @@ def actual_auth_required(func):
             def decorated_auth_required(*args, **kwargs):
                 session["url"] = url_for(url, *args, **kwargs) if url else url
                 #if "api-token" not in request.headers:
-                if "user" not in session or not session["user"] or not session["user"]["token"]:
+                if "user" not in session or not session["user"]: # or not session["user"]["token"]:
                     #await flash(f"Please login to continue.", "info")
                     return redirect(url_for("auth.login"))
+                user = jsonpickle.decode(session['user'])
+                if not user or not hasattr(user, 'token'):
+                    return redirect(url_for("auth.login"))
                 #token = request.headers.get("api-token")
-                data = Authentication.decode_token(session["user"]["token"])
+                data = Authentication.decode_token(user.token)
                 if data["error"]:
                     logging.warning(f"[Auth] error: {data['error']}!")                
                     #await flash(f"{data['error']}", "danger")
@@ -100,8 +103,12 @@ def require_role(role):
         def decorated_require_role(func):
             @wraps(func)
             def wrapped_require_role(*args, **kwargs):
-                if Authentication.isAuthenticated() and role in session["user"]["roles"]:
-                    return func(*args, **kwargs)
+                if Authentication.isAuthenticated() and "user" in session:
+                    user = jsonpickle.decode(session['user'])
+                    if role in user.roles:
+                        return func(*args, **kwargs)
+                    else:
+                        return abort(403)
                 else:
                     return abort(403)
             return wrapped_require_role

src/common/Authentication.py

@@ -1,4 +1,4 @@
-import logging
+import logging, jsonpickle
 from quart import request, json, Blueprint, session, render_template, session, redirect, url_for
 from marshmallow import ValidationError
 from datetime import datetime, timezone
@@ -40,11 +40,12 @@ async def login():
                 logging.warning(f"[Auth] Invalid email or password {data.get('email')}!")
                 return await render_template("login.html", title="Welcome to Python Flask RESTful API", error="Invalid email or password!")
             ser_data = user_schema.dump(user)
-            token = Authentication.generate_token(ser_data.get("id"))
-            session["user"] = {"id": ser_data.get("id"), "email": user.email, "token": token}
+            user.token = Authentication.generate_token(ser_data.get("id"))
+            #session["user"] = {"id": ser_data.get("id"), "email": user.email, "token": token}
             #return custom_response({"jwt_token": token}, 200)
             data["lastlogin"] = datetime.now(timezone.utc)
             user.update(data)
+            session['user'] = jsonpickle.encode(user)
             logging.info(f"[Auth] User {user.email} logged in")
             if "url" in session and session["url"]:
                 return redirect(session["url"])
@@ -105,7 +106,7 @@ async def logout():
     User Logout
     """
     print(f"logout()")
-    logging.info(f"[Auth] User {session['user']['email']} logged out")
+    logging.info(f"[Auth] User logged out")
     session["url"] = None
     session["user"] = None
     return redirect(url_for("home.index"))
@@ -127,7 +128,8 @@ async def profile():
     """
     Get my profile
     """
-    user = UserModel.get_user(session["user"]["id"])
+    u = jsonpickle.decode(session['user'])
+    user = UserModel.get_user(u.id)
     if not user:
-        raise Exception(f"User {session['user']['id']} not found!")
+        raise Exception(f"User {u.id} not found!")
     return custom_response(user_schema.dump(user), 200)

src/controllers/AuthenticationController.py

@@ -1,4 +1,4 @@
-import re, logging
+import re, logging, jsonpickle
 from quart import request, Blueprint, session, render_template, flash, redirect, url_for
 from marshmallow import ValidationError
 from datetime import datetime, timezone
@@ -27,6 +27,7 @@ async def create():
     """
     Create Author
     """
+    user = jsonpickle.decode(session['user'])
     if request.method == "POST":	
         try:
             form = await request.form
@@ -65,12 +66,12 @@ async def create():
             author = AuthorModel(data)
             author.save()
             await flash(f"Author {author.firstname}, {author.lastname} created successfully!", "success")
-            logging.info(f"User {session['user']['email']} created author {author.email} successfully!")
+            logging.info(f"User {user.email} created author {author.email} successfully!")
             return redirect(url_for("author.index"))
         except ValidationError as err:
             errors = err.messages
             valid_data = err.valid_data	
-            logging.error(f"User {session['user']['email']} failed to creat author! Exception: {errors}")
+            logging.error(f"User {user.email} failed to creat author! Exception: {errors}")
             await flash(f"Failed to create author! {err.messages}", "danger")
             return redirect(url_for("author.create"))
     return await render_template("author_create.html", title="Welcome to Python Flask RESTful API")
@@ -81,7 +82,7 @@ async def get_author(id):
     """
     Get Auhor 'id'
     """
-    author = auhor_schema.dump(AuthorModel.get_author(id))
+    author = author_schema.dump(AuthorModel.get_author(id))
     if not author:
         return custom_response({"error": f"Author {id} not found!"}, 404)
     return custom_response(author_schema.dump(author), 200)
@@ -125,6 +126,7 @@ async def update(id):
     """
     Update Author 'id'
     """
+    user = jsonpickle.decode(session['user'])
     try:
         req_data = await request.get_json()
         data = author_schema.load(req_data, partial=True)
@@ -136,12 +138,12 @@ async def update(id):
             await flash(f"Trying to update non-existing author {id}!", "warning")
             return redirect(url_for("author.index"))
         author.update(data)
-        logging.info(f"User {session['user']['email']} updated author {author.email} successfully!")
+        logging.info(f"User {user.email} updated author {author.email} successfully!")
         await flash(f"Author {author.firstname}, {author.lastname} updated successfully!", "success")
     except ValidationError as err:
         errors = err.messages
         valid_data = err.valid_data
-        logging.error(f"User {session['user']['email']} failed to update author {id}! Exception: {errors}")
+        logging.error(f"User {user.email} failed to update author {id}! Exception: {errors}")
         await flash(f"Failed to update author {id}! Exception: {errors}", "danger")
     return redirect(url_for("author.index"))
 
@@ -151,18 +153,19 @@ async def delete(id):
     """
     Delete Author 'id'
     """
+    user = jsonpickle.decode(session['user'])
     try:
         author = AuthorModel.get_author(id)
         if not author:
             await flash(f"Trying to delete non-existing author {id}!", "warning")
             return redirect(url_for("author.index"))
         author.delete()
-        logging.warning(f"User {session['user']['email']} deleted author {author.email} successfully!")
+        logging.warning(f"User {user.email} deleted author {author.email} successfully!")
         await flash(f"Author {author.firstname}, {author.lastname} deleted successfully!", "success")
     except ValidationError as err:
         errors = err.messages
         valid_data = err.valid_data	
         print(f"Failed to delete author {id} error! {errors}")		
-        logging.error(f"User {session['user']['email']} failed to delete author {id}! Exception: {errors}")
+        logging.error(f"User {user.email} failed to delete author {id}! Exception: {errors}")
         await flash(f"Failed to delete author {id}! Exception: {errors}", "danger")
     return redirect(url_for("user.index"))