Remove keys from session and inject Session class into Jinja (#1456)

* Closes #1362 * Reduces the session object to just an id, nonce, and security hash
2025-12-18 06:24:23 +01:00 · 2020-06-03 02:09:48 -04:00
parent 2a8d7ed349
commit 52c65ced55
7 changed files with 27 additions and 22 deletions
--- a/CTFd/constants/sessions.py
+++ b/CTFd/constants/sessions.py
@@ -0,0 +1,18 @@
+from flask import session
+
+
+class _SessionWrapper:
+    @property
+    def id(self):
+        return session.get("id", 0)
+
+    @property
+    def nonce(self):
+        return session.get("nonce")
+
+    @property
+    def hash(self):
+        return session.get("hash")
+
+
+Session = _SessionWrapper()
--- a/CTFd/themes/core/templates/base.html
+++ b/CTFd/themes/core/templates/base.html
@@ -17,7 +17,7 @@
 			'urlRoot': "{{ request.script_root }}",
 			'csrfNonce': "{{ nonce }}",
 			'userMode': "{{ Configs.user_mode }}",
-			'userId': {{ id if (id is defined) else 0 }},
+			'userId': {{ Session.id }},
 			'start': {{ Configs.start | tojson }},
 			'end': {{ Configs.end | tojson }},
 		}
--- a/CTFd/utils/initialization/init.py
+++ b/CTFd/utils/initialization/init.py
@@ -10,6 +10,7 @@ from werkzeug.middleware.dispatcher import DispatcherMiddleware
 from CTFd.cache import clear_user_recent_ips
 from CTFd.constants.config import Configs
 from CTFd.constants.plugins import Plugins
+from CTFd.constants.sessions import Session
 from CTFd.exceptions import UserNotFoundException, UserTokenExpiredException
 from CTFd.models import Tracking, db
 from CTFd.utils import config, get_config, markdown
@@ -91,6 +92,7 @@ def init_template_globals(app):
    app.jinja_env.globals.update(get_ip=get_ip)
    app.jinja_env.globals.update(Configs=Configs)
    app.jinja_env.globals.update(Plugins=Plugins)
+    app.jinja_env.globals.update(Session=Session)


 def init_logs(app):
@@ -154,12 +156,6 @@ def init_events(app):


 def init_request_processors(app):
-    @app.context_processor
-    def inject_user():
-        if session:
-            return dict(session)
-        return dict()
-
    @app.url_defaults
    def inject_theme(endpoint, values):
        if "theme" not in values and app.url_map.is_endpoint_expecting(
--- a/CTFd/utils/security/auth.py
+++ b/CTFd/utils/security/auth.py
@@ -13,8 +13,6 @@ from CTFd.utils.security.signing import hmac

 def login_user(user):
    session["id"] = user.id
-    session["name"] = user.name
-    session["email"] = user.email
    session["nonce"] = generate_nonce()
    session["hash"] = hmac(user.password)

@@ -24,7 +22,6 @@ def login_user(user):

 def update_user(user):
    session["id"] = user.id
-    session["name"] = user.name
    session["email"] = user.email
    session["hash"] = hmac(user.password)

--- a/tests/challenges/test_dynamic.py
+++ b/tests/challenges/test_dynamic.py
@@ -212,9 +212,8 @@ def test_dynamic_challenge_loses_value_properly():
                # We need to bypass rate-limiting so creating a fake user instead of logging in
                with client.session_transaction() as sess:
                    sess["id"] = team_id
-                    sess["name"] = name
-                    sess["email"] = email
                    sess["nonce"] = "fake-nonce"
+                    sess["hash"] = "fake-hash"

                data = {"submission": "flag", "challenge_id": 1}

@@ -304,9 +303,8 @@ def test_dynamic_challenge_value_isnt_affected_by_hidden_users():
                # We need to bypass rate-limiting so creating a fake user instead of logging in
                with client.session_transaction() as sess:
                    sess["id"] = team_id
-                    sess["name"] = name
-                    sess["email"] = email
                    sess["nonce"] = "fake-nonce"
+                    sess["hash"] = "fake-hash"

                data = {"submission": "flag", "challenge_id": 1}

--- a/tests/helpers.py
+++ b/tests/helpers.py
@@ -144,9 +144,8 @@ def register_user(
            if raise_for_error:
                with client.session_transaction() as sess:
                    assert sess["id"]
-                    assert sess["name"] == name
-                    assert sess["email"]
                    assert sess["nonce"]
+                    assert sess["hash"]


 def register_team(app, name="team", password="password", raise_for_error=True):
@@ -171,9 +170,8 @@ def login_as_user(app, name="user", password="password", raise_for_error=True):
            if raise_for_error:
                with client.session_transaction() as sess:
                    assert sess["id"]
-                    assert sess["name"]
-                    assert sess["email"]
                    assert sess["nonce"]
+                    assert sess["hash"]
            return client


@@ -229,9 +227,8 @@ def login_with_mlc(
        if raise_for_error:
            with client.session_transaction() as sess:
                assert sess["id"]
-                assert sess["name"]
-                assert sess["email"]
                assert sess["nonce"]
+                assert sess["hash"]
        return client


--- a/tests/oauth/test_redirect.py
+++ b/tests/oauth/test_redirect.py
@@ -71,9 +71,8 @@ def test_oauth_configured_flow():
        client = login_with_mlc(app)
        with client.session_transaction() as sess:
            assert sess["id"]
-            assert sess["name"]
-            assert sess["email"]
            assert sess["nonce"]
+            assert sess["hash"]
    destroy_ctfd(app)