Decorator that monitors the session’s auth state of the socket. When socket events come in, it checks whether the session still satisfies the auth requirement by making calls to `session.is_auth_valid()`. If the session’s auth state has become invalid, it disconnects the client. It
(handler)
| 29 | |
| 30 | |
| 31 | def monitor_auth(handler): |
| 32 | """Decorator that monitors the session’s auth state of the socket. |
| 33 | |
| 34 | When socket events come in, it checks whether the session still satisfies |
| 35 | the auth requirement by making calls to `session.is_auth_valid()`. If the |
| 36 | session’s auth state has become invalid, it disconnects the client. |
| 37 | |
| 38 | It doesn’t carry out the check for every incoming socket event, but it |
| 39 | caches the result for a short amount of time, before triggering a fresh |
| 40 | check. The reason is that a call to `session.is_auth_valid()` might take |
| 41 | several milliseconds, and we don’t want to add that latency on every single |
| 42 | incoming socket event. So the periodic caching behaviour is a tradeoff |
| 43 | between security and performance. |
| 44 | |
| 45 | Example of usage: |
| 46 | @monitor_auth |
| 47 | def on_socket_event(): |
| 48 | ... |
| 49 | """ |
| 50 | cache_ttl_seconds = 10 |
| 51 | |
| 52 | @functools.wraps(handler) |
| 53 | def handler_with_auth_check(*args, **kwargs): |
| 54 | next_check_due = _auth_expiry_timestamps.get(flask.request.sid, None) |
| 55 | |
| 56 | if (not next_check_due) or (utc.now() > next_check_due): |
| 57 | if not session.is_auth_valid(satisfies_role=auth.Role.OPERATOR): |
| 58 | flask_socketio.disconnect() |
| 59 | return None |
| 60 | |
| 61 | _auth_expiry_timestamps[flask.request.sid] = utc.now( |
| 62 | ) + datetime.timedelta(seconds=cache_ttl_seconds) |
| 63 | |
| 64 | return handler(*args, **kwargs) |
| 65 | |
| 66 | return handler_with_auth_check |
| 67 | |
| 68 | |
| 69 | @socketio.on('keystroke') |
nothing calls this directly
no outgoing calls
no test coverage detected