functional session switcher logic

Author: Archmonger

src/reactpy_django/auth/components.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import asyncio
+import contextlib
 from logging import getLogger
 from typing import TYPE_CHECKING
 from uuid import uuid4
@@ -9,7 +10,7 @@
 from reactpy import component, hooks
 
 from reactpy_django.javascript_components import HttpRequest
-from reactpy_django.models import AuthSession
+from reactpy_django.models import SwitchSession
 
 if TYPE_CHECKING:
     from django.contrib.sessions.backends.base import SessionBase
@@ -25,13 +26,15 @@ def auth_manager():
     from reactpy_django import config
 
     switch_sessions, set_switch_sessions = hooks.use_state(False)
-    uuid = hooks.use_ref(str(uuid4())).current
+    uuid_ref = hooks.use_ref(str(uuid4()))
+    uuid = uuid_ref.current
     scope = hooks.use_connection().scope
 
     @hooks.use_effect(dependencies=[])
     def setup_asgi_scope():
         """Store a trigger function in websocket scope so that ReactPy-Django's hooks can command a session synchronization."""
-        scope["reactpy-synchronize-session"] = synchronize_session
+        scope.setdefault("reactpy", {})
+        scope["reactpy"]["synchronize_session"] = synchronize_session
         print("configure_asgi_scope")
 
     @hooks.use_effect(dependencies=[switch_sessions])
@@ -49,16 +52,23 @@ async def synchronize_session():
         """Entrypoint where the server will command the client to switch HTTP sessions
         to match the websocket session. This function is stored in the websocket scope so that
         ReactPy-Django's hooks can access it."""
-        print("sync command ", uuid)
+        print("sync command")
         session: SessionBase | None = scope.get("session")
         if not session or not session.session_key:
             print("sync error")
             return
 
-        await AuthSession.objects.aget_or_create(uuid=uuid, session_key=session.session_key)
+        # Delete any sessions currently associated with this UUID
+        with contextlib.suppress(SwitchSession.DoesNotExist):
+            obj = await SwitchSession.objects.aget(uuid=uuid)
+            await obj.adelete()
+
+        obj = await SwitchSession.objects.acreate(uuid=uuid, session_key=session.session_key)
+        await obj.asave()
+
         set_switch_sessions(True)
 
-    async def synchronize_sessions_callback(status_code: int, response: str):
+    async def synchronize_session_callback(status_code: int, response: str):
         """This callback acts as a communication bridge between the client and server, notifying the server
         of the client's response to the session switch command."""
         print("callback")
@@ -72,13 +82,13 @@ async def synchronize_sessions_callback(status_code: int, response: str):
     # If a session cookie was generated, send it to the client
     print("render")
     if switch_sessions:
-        print("switching to ", uuid)
+        print("Rendering HTTP request component with UUID ", uuid)
         return HttpRequest(
             {
                 "method": "GET",
                 "url": reverse("reactpy:switch_session", args=[uuid]),
                 "body": None,
-                "callback": synchronize_sessions_callback,
+                "callback": synchronize_session_callback,
             },
         )
     return None

src/reactpy_django/hooks.py

@@ -427,9 +427,7 @@ async def login(user: AbstractUser):
         await channels_auth.login(scope, user, backend=config.REACTPY_AUTH_BACKEND)
         session_save_func = getattr(scope["session"], "asave", scope["session"].save)
         await ensure_async(session_save_func)()
-
-        # TODO: Pick a different method of triggering a login action
-        scope["reactpy_login"] = True
+        await scope["reactpy"]["synchronize_session"]()
 
     async def logout():
         await channels_auth.logout(scope)

src/reactpy_django/http/views.py

@@ -1,7 +1,6 @@
 import os
 from urllib.parse import parse_qs
 
-from django.contrib.auth.models import AnonymousUser
 from django.core.exceptions import SuspiciousOperation
 from django.http import FileResponse, HttpRequest, HttpResponse, HttpResponseNotFound
 from reactpy.config import REACTPY_WEB_MODULES_DIR
@@ -48,35 +47,38 @@ async def view_to_iframe(request: HttpRequest, dotted_path: str) -> HttpResponse
 async def switch_session(request: HttpRequest, uuid: str) -> HttpResponse:
     """Switches the client's active session.
 
-    Django's authentication design requires HTTP cookies to persist login via cookies.
+    This view exists because ReactPy is rendered via WebSockets, and browsers do not
+    allow active WebSocket connections to modify HTTP cookies. Django's authentication
+    design requires HTTP cookies to persist state changes.
+    """
+    from reactpy_django.models import SwitchSession
 
-    This is problematic since ReactPy is rendered via WebSockets, and browsers do not
-    allow active WebSocket connections to modify HTTP cookies, which necessitates this
-    view to exist."""
-    from reactpy_django.models import AuthSession
+    # Find out what session the client wants to switch
+    data = await SwitchSession.objects.aget(uuid=uuid)
 
-    # TODO: Maybe just relogin the user instead of switching sessions?
-
-    # Find out what session we're switching to
-    auth_session = await AuthSession.objects.aget(uuid=uuid)
-
-    # Validate the session
-    if auth_session.expired:
+    # CHECK: Session has expired?
+    if data.expired:
         msg = "Session expired."
+        await data.adelete()
         raise SuspiciousOperation(msg)
-    if not request.session.exists(auth_session.session_key):
-        msg = "Session does not exist."
+
+    # CHECK: Session does not exist?
+    exists_method = getattr(request.session, "aexists", request.session.exists)
+    if not await ensure_async(exists_method)(data.session_key):
+        msg = "Attempting to switch to a session that does not exist."
         raise SuspiciousOperation(msg)
 
-    # Delete the existing session
-    flush_method = getattr(request.session, "aflush", request.session.flush)
-    await ensure_async(flush_method)()
-    request.user = AnonymousUser()
+    # CHECK: Client already using the correct session?
+    if request.session.session_key == data.session_key:
+        await data.adelete()
+        return HttpResponse(status=204)
 
     # Switch the client's session
-    request.session = type(request.session)(auth_session.session_key)
+    request.session = type(request.session)(session_key=data.session_key)
     load_method = getattr(request.session, "aload", request.session.load)
     await ensure_async(load_method)()
-    await auth_session.adelete()
-
+    request.session.modified = True
+    save_method = getattr(request.session, "asave", request.session.save)
+    await ensure_async(save_method)()
+    await data.adelete()
     return HttpResponse(status=204)

src/reactpy_django/migrations/0008_rename_authsession_switchsession.py

@@ -0,0 +1,17 @@
+# Generated by Django 5.1.4 on 2024-12-24 22:54
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('reactpy_django', '0007_authsession'),
+    ]
+
+    operations = [
+        migrations.RenameModel(
+            old_name='AuthSession',
+            new_name='SwitchSession',
+        ),
+    ]

src/reactpy_django/models.py

@@ -20,10 +20,13 @@ class ComponentSession(models.Model):
     last_accessed = models.DateTimeField(auto_now=True)
 
 
-class AuthSession(models.Model):
-    """A model for storing Django authentication sessions, tied to a UUID.
+class SwitchSession(models.Model):
+    """A model for stores any relevant data needed to force Django's HTTP session to
+    match the websocket session.
 
-    This is used to switch Django's HTTP session to match the websocket session."""
+    This data is tied to an arbitrary UUID for security (obfuscation) purposes.
+
+    Source code must be written to respect the expiration property of this model."""
 
     # TODO: Add cleanup task for this.
     uuid = models.UUIDField(primary_key=True, editable=False, unique=True)