Changed app for proxy and https++

2026-01-23 08:38:34 +01:00
parent 21f27e0d27
commit 75a3ec9d7e
4 changed files with 25 additions and 33 deletions
--- a/5
+++ b/5
@@ -15,9 +15,8 @@ COPY reset_password.py .
 COPY templates/ templates/
 COPY static/ static/

-# Create data and session directories
-RUN mkdir -p /app/data /app/data/flask_sessions && \
-    chmod 777 /app/data/flask_sessions
+# Create data directory
+RUN mkdir -p /app/data

 # Copy entrypoint script and make scripts executable
 COPY docker-entrypoint.sh .
--- a/app.py
+++ b/app.py
@@ -1,5 +1,4 @@
-from flask import Flask, render_template, request, jsonify, redirect, url_for, session
-from flask_session import Session
+from flask import Flask, render_template, request, jsonify, redirect, url_for, session, make_response
 from functools import wraps
 from werkzeug.middleware.proxy_fix import ProxyFix
 from datetime import timedelta
@@ -7,9 +6,10 @@ import malias_wrapper as malias_w
 import os
 import argparse
 import sys
+import secrets

 app = Flask(__name__)
-app.secret_key = os.getenv('SECRET_KEY', os.urandom(24).hex())  # Secret key for session management
+app.secret_key = os.getenv('SECRET_KEY', 'malias-default-secret-key-please-change')  # Consistent secret key

 # Configure for reverse proxy (Authelia, Zoraxy, Nginx, etc.)
 # This fixes HTTPS detection and redirects when behind a proxy
@@ -24,31 +24,20 @@ app.wsgi_app = ProxyFix(
 # Initialize database on startup
 malias_w.init_database()

-# Session configuration for reverse proxy
-# Use server-side sessions stored in filesystem (works with multiple Gunicorn workers)
+# Session configuration optimized for reverse proxy with Gunicorn
 app.config.update(
-    # Server-side session storage
-    SESSION_TYPE='filesystem',                  # Store sessions on disk (shared across workers)
-    SESSION_FILE_DIR='/app/data/flask_sessions',  # Session storage directory
-    SESSION_PERMANENT=True,                     # Sessions persist
-    PERMANENT_SESSION_LIFETIME=timedelta(hours=24),  # 24 hour sessions
-    
-    # Session cookie settings
-    SESSION_COOKIE_NAME='malias_session',       # Custom name to avoid conflicts
-    SESSION_COOKIE_SECURE=False,                # Must be False - backend connection is HTTP
-    SESSION_COOKIE_HTTPONLY=True,               # Security: prevent JavaScript access
-    SESSION_COOKIE_SAMESITE='Lax',              # Allow same-site requests (needed for redirects)
-    SESSION_COOKIE_PATH='/',                    # Available for entire application
-    SESSION_COOKIE_DOMAIN=None,                 # Let browser decide
-    
-    # URL generation
-    PREFERRED_URL_SCHEME='https',               # Generate HTTPS URLs when behind proxy
-    APPLICATION_ROOT='/',                        # Application root path
+    PERMANENT_SESSION_LIFETIME=timedelta(hours=24),
+    SESSION_COOKIE_NAME='session',  # Use standard name
+    SESSION_COOKIE_SECURE=False,  # Backend is HTTP
+    SESSION_COOKIE_HTTPONLY=True,
+    SESSION_COOKIE_SAMESITE='Lax',  # Lax works better than None for HTTP backend
+    SESSION_COOKIE_PATH='/',
+    SESSION_COOKIE_DOMAIN=None,  # Let browser auto-set domain
+    SESSION_REFRESH_EACH_REQUEST=False,  # Don't modify session unnecessarily
+    PREFERRED_URL_SCHEME='https',
+    APPLICATION_ROOT='/',
 )

-# Initialize Flask-Session
-Session(app)
-
 def login_required(f):
    """Decorator to require login for routes"""
    @wraps(f)
@@ -64,13 +53,15 @@ def login():
    if request.method == 'POST':
        password = request.json.get('password', '')
        if malias_w.verify_password(password):
-            session.permanent = True  # Make session persistent
+            session.clear()
+            session.permanent = True
            session['logged_in'] = True
+            session['user_token'] = secrets.token_urlsafe(32)
+            session.modified = True
            return jsonify({'status': 'success', 'message': 'Login successful'})
        else:
            return jsonify({'status': 'error', 'message': 'Invalid password'})
    
-    # Check if already logged in
    if session.get('logged_in'):
        return redirect(url_for('index'))
    
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -39,3 +39,7 @@ services:
      
      # Host binding (default: 0.0.0.0 for Docker)
      - FLASK_HOST=0.0.0.0
+      
+      # Secret key for sessions (generate unique key for production)
+      # Change this to a random string for better security
+      - SECRET_KEY=malias-production-secret-key-change-me
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,5 +4,3 @@ httpx==0.27.0
 rich==13.7.0
 bcrypt==4.1.2
 gunicorn==21.2.0
-Flask-Session==0.6.0
-cachelib==0.10.2