From 75a3ec9d7e3af85799e06566f096a09627de4031 Mon Sep 17 00:00:00 2001
From: Rune Olsen <rune@rune.pm>
Date: Fri, 23 Jan 2026 08:38:34 +0100
Subject: [PATCH] Changed app for proxy and https++

---
 Dockerfile         |  5 ++---
 app.py             | 45 ++++++++++++++++++---------------------------
 docker-compose.yml |  6 +++++-
 requirements.txt   |  2 --
 4 files changed, 25 insertions(+), 33 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c91a0ee..b1fd91d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,9 +15,8 @@ COPY reset_password.py .
 COPY templates/ templates/
 COPY static/ static/
 
-# Create data and session directories
-RUN mkdir -p /app/data /app/data/flask_sessions && \
-    chmod 777 /app/data/flask_sessions
+# Create data directory
+RUN mkdir -p /app/data
 
 # Copy entrypoint script and make scripts executable
 COPY docker-entrypoint.sh .
diff --git a/app.py b/app.py
index fade4dc..20ccf31 100644
--- a/app.py
+++ b/app.py
@@ -1,5 +1,4 @@
-from flask import Flask, render_template, request, jsonify, redirect, url_for, session
-from flask_session import Session
+from flask import Flask, render_template, request, jsonify, redirect, url_for, session, make_response
 from functools import wraps
 from werkzeug.middleware.proxy_fix import ProxyFix
 from datetime import timedelta
@@ -7,9 +6,10 @@ import malias_wrapper as malias_w
 import os
 import argparse
 import sys
+import secrets
 
 app = Flask(__name__)
-app.secret_key = os.getenv('SECRET_KEY', os.urandom(24).hex())  # Secret key for session management
+app.secret_key = os.getenv('SECRET_KEY', 'malias-default-secret-key-please-change')  # Consistent secret key
 
 # Configure for reverse proxy (Authelia, Zoraxy, Nginx, etc.)
 # This fixes HTTPS detection and redirects when behind a proxy
@@ -24,31 +24,20 @@ app.wsgi_app = ProxyFix(
 # Initialize database on startup
 malias_w.init_database()
 
-# Session configuration for reverse proxy
-# Use server-side sessions stored in filesystem (works with multiple Gunicorn workers)
+# Session configuration optimized for reverse proxy with Gunicorn
 app.config.update(
-    # Server-side session storage
-    SESSION_TYPE='filesystem',                  # Store sessions on disk (shared across workers)
-    SESSION_FILE_DIR='/app/data/flask_sessions',  # Session storage directory
-    SESSION_PERMANENT=True,                     # Sessions persist
-    PERMANENT_SESSION_LIFETIME=timedelta(hours=24),  # 24 hour sessions
-    
-    # Session cookie settings
-    SESSION_COOKIE_NAME='malias_session',       # Custom name to avoid conflicts
-    SESSION_COOKIE_SECURE=False,                # Must be False - backend connection is HTTP
-    SESSION_COOKIE_HTTPONLY=True,               # Security: prevent JavaScript access
-    SESSION_COOKIE_SAMESITE='Lax',              # Allow same-site requests (needed for redirects)
-    SESSION_COOKIE_PATH='/',                    # Available for entire application
-    SESSION_COOKIE_DOMAIN=None,                 # Let browser decide
-    
-    # URL generation
-    PREFERRED_URL_SCHEME='https',               # Generate HTTPS URLs when behind proxy
-    APPLICATION_ROOT='/',                        # Application root path
+    PERMANENT_SESSION_LIFETIME=timedelta(hours=24),
+    SESSION_COOKIE_NAME='session',  # Use standard name
+    SESSION_COOKIE_SECURE=False,  # Backend is HTTP
+    SESSION_COOKIE_HTTPONLY=True,
+    SESSION_COOKIE_SAMESITE='Lax',  # Lax works better than None for HTTP backend
+    SESSION_COOKIE_PATH='/',
+    SESSION_COOKIE_DOMAIN=None,  # Let browser auto-set domain
+    SESSION_REFRESH_EACH_REQUEST=False,  # Don't modify session unnecessarily
+    PREFERRED_URL_SCHEME='https',
+    APPLICATION_ROOT='/',
 )
 
-# Initialize Flask-Session
-Session(app)
-
 def login_required(f):
     """Decorator to require login for routes"""
     @wraps(f)
@@ -64,13 +53,15 @@ def login():
     if request.method == 'POST':
         password = request.json.get('password', '')
         if malias_w.verify_password(password):
-            session.permanent = True  # Make session persistent
+            session.clear()
+            session.permanent = True
             session['logged_in'] = True
+            session['user_token'] = secrets.token_urlsafe(32)
+            session.modified = True
             return jsonify({'status': 'success', 'message': 'Login successful'})
         else:
             return jsonify({'status': 'error', 'message': 'Invalid password'})
     
-    # Check if already logged in
     if session.get('logged_in'):
         return redirect(url_for('index'))
     
diff --git a/docker-compose.yml b/docker-compose.yml
index dace85a..c0839da 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -38,4 +38,8 @@ services:
       - FLASK_PORT=5172
       
       # Host binding (default: 0.0.0.0 for Docker)
-      - FLASK_HOST=0.0.0.0
\ No newline at end of file
+      - FLASK_HOST=0.0.0.0
+      
+      # Secret key for sessions (generate unique key for production)
+      # Change this to a random string for better security
+      - SECRET_KEY=malias-production-secret-key-change-me
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
index 7352b26..d1ce881 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,5 +4,3 @@ httpx==0.27.0
 rich==13.7.0
 bcrypt==4.1.2
 gunicorn==21.2.0
-Flask-Session==0.6.0
-cachelib==0.10.2