Skip to content

Commit

Permalink
Fine tune EUS flask-session config
Browse files Browse the repository at this point in the history 
Apart from generic hardening, we also need to set the Flask session
directory in order to be able to restrict the default umask (YDA-5565)
  • Loading branch information
@stsnel @lwesterhof
stsnel authored and lwesterhof committed Apr 15, 2024
1 parent b3abba1 commit 5212af2
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
5 changes: 5 additions & 0 deletions roles/yoda_external_user_service/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ eus_api_fqdn: api.eus.yoda.test
eus_api_port: 8443
eus_api_secret: PLACEHOLDER

# Flask-session configuration
yoda_eus_cookie_samesite: Strict # 'Strict' or 'Lax'
yoda_eus_session_lifetime: 30 * 60 # in seconds, so 30 minutes
yoda_eus_session_dir: '/tmp/eus_session/' # default flask session dir

eus_db_host: localhost
eus_db_port: 5432
eus_db_name: extuser
Expand Down
11 changes: 10 additions & 1 deletion roles/yoda_external_user_service/templates/flask.cfg.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,16 @@ YODA_EUS_FQDN = '{{ yoda_eus_fqdn }}'
CSRF_TOKENS_ENABLED = 'true'
API_SECRET = '{{ eus_api_secret }}'
EUS_TITLE_TEXT = 'Yoda External User Service'
SESSION_TYPE = 'filesystem'

# Flask-Session configuration
SESSION_TYPE = 'filesystem'
SESSION_COOKIE_NAME = '__Host-session'
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = '{{ yoda_eus_cookie_samesite }}'
PERMANENT_SESSION_LIFETIME = {{ yoda_eus_session_lifetime }}
SESSION_USE_SIGNER = True
SESSION_FILE_DIR = '{{ yoda_eus_session_dir }}'

# Theming configuration
YODA_THEME_PATH = '{{ yoda_theme_path }}' # Path to location of themes
Expand Down

0 comments on commit 5212af2

Please sign in to comment.