Remove keys from session and inject Session class into Jinja (#1456)

* Closes #1362
* Reduces the session object to just an id, nonce, and security hash

CTFd/constants/sessions.py

@@ -0,0 +1,18 @@
+from flask import session
+
+
+class _SessionWrapper:
+    @property
+    def id(self):
+        return session.get("id", 0)
+
+    @property
+    def nonce(self):
+        return session.get("nonce")
+
+    @property
+    def hash(self):
+        return session.get("hash")
+
+
+Session = _SessionWrapper()

CTFd/themes/core/templates/base.html

@@ -17,7 +17,7 @@
 			'urlRoot': "{{ request.script_root }}",
 			'csrfNonce': "{{ nonce }}",
 			'userMode': "{{ Configs.user_mode }}",
-			'userId': {{ id if (id is defined) else 0 }},
+			'userId': {{ Session.id }},
 			'start': {{ Configs.start | tojson }},
 			'end': {{ Configs.end | tojson }},
 		}

CTFd/utils/initialization/__init__.py

@@ -10,6 +10,7 @@ from werkzeug.middleware.dispatcher import DispatcherMiddleware
 from CTFd.cache import clear_user_recent_ips
 from CTFd.constants.config import Configs
 from CTFd.constants.plugins import Plugins
+from CTFd.constants.sessions import Session
 from CTFd.exceptions import UserNotFoundException, UserTokenExpiredException
 from CTFd.models import Tracking, db
 from CTFd.utils import config, get_config, markdown
@@ -91,6 +92,7 @@ def init_template_globals(app):
     app.jinja_env.globals.update(get_ip=get_ip)
     app.jinja_env.globals.update(Configs=Configs)
     app.jinja_env.globals.update(Plugins=Plugins)
+    app.jinja_env.globals.update(Session=Session)
 
 
 def init_logs(app):
@@ -154,12 +156,6 @@ def init_events(app):
 
 
 def init_request_processors(app):
-    @app.context_processor
-    def inject_user():
-        if session:
-            return dict(session)
-        return dict()
-
     @app.url_defaults
     def inject_theme(endpoint, values):
         if "theme" not in values and app.url_map.is_endpoint_expecting(

CTFd/utils/security/auth.py

@@ -13,8 +13,6 @@ from CTFd.utils.security.signing import hmac
 
 def login_user(user):
     session["id"] = user.id
-    session["name"] = user.name
-    session["email"] = user.email
     session["nonce"] = generate_nonce()
     session["hash"] = hmac(user.password)
 
@@ -24,7 +22,6 @@ def login_user(user):
 
 def update_user(user):
     session["id"] = user.id
-    session["name"] = user.name
     session["email"] = user.email
     session["hash"] = hmac(user.password)