Varbin
diff --git a/‎README.md‎
Lines changed: 14 additions & 4 deletions b/‎README.md‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎contrib/docker-compose.yml‎ ‎contrib/dovecot/docker-compose.yml‎contrib/docker-compose.yml renamed to contrib/dovecot/docker-compose.yml b/‎contrib/docker-compose.yml‎ ‎contrib/dovecot/docker-compose.yml‎contrib/docker-compose.yml renamed to contrib/dovecot/docker-compose.yml
diff --git a/‎contrib/freeradius/docker-compose.yml‎ b/‎contrib/freeradius/docker-compose.yml‎
diff --git a/‎devicepasswords/__init__.py‎
Lines changed: 26 additions & 21 deletions b/‎devicepasswords/__init__.py‎
Lines changed: 26 additions & 21 deletions
diff --git a/‎devicepasswords/db.py‎
Lines changed: 9 additions & 7 deletions b/‎devicepasswords/db.py‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎devicepasswords/smgmt.py‎
Lines changed: 23 additions & 44 deletions b/‎devicepasswords/smgmt.py‎
Lines changed: 23 additions & 44 deletions
diff --git a/‎devicepasswords/static/icon.png‎
-5.56 KB b/‎devicepasswords/static/icon.png‎
-5.56 KB
@@ -1,14 +1,24 @@
-# Simple device password management
+<h1><img src="docs/images/icon.svg" height="40"> Device password management</h1>
+<h3>Individual passwords for service without 2FA</h3>
+
+<hr>
+<a href="https://github.com/Varbin/devicepasswords/actions/workflows/docker-image.yml">
+   <img src="https://github.com/Varbin/devicepasswords/actions/workflows/docker-image.yml/badge.svg" alt="Docker Container CI">
+</a>
+
+<a href='https://devicepasswords.readthedocs.io/?badge=latest'>
+   <img src='https://readthedocs.org/projects/devicepasswords/badge/?version=latest' alt='Documentation Status' />
+</a>
+<hr>
 
-![Screenshot](docs/example.png)
 
 Device passwords fix the gap for accessing resources when clients do not support
 the companies single-sign on protocol. The most prominent example is e-mail, 
-where OAuth requires both server and client integration.
+where OAuth requires both server and client integration, which is usually not feasible.
 
 This software allows users to manage their own device passwords.
 
-[Read the docs](https://devicepasswords.readthedocs.io/)
+![Screenshot](docs/example.png)
 
 ## Caveats
 
 
@@ -9,14 +9,13 @@
 import secrets
 import sys
 import time
-import uuid
 from datetime import date, timedelta, datetime
 
 from flask import Flask, session, redirect, render_template, request, \
     url_for, abort
-from sqlalchemy import Uuid
+from flask_session import Session
 
-from .db import db, init_db, Session, User, Token
+from .db import db, init_db, Revoked, User, Token
 from .devpwd import DevicePasswords
 from .oidc import OIDC
 from .pwdhash import hasher
@@ -44,14 +43,16 @@ def create_app():
     app.config["UI_SHOW_SUBJECT"] = True
     app.config["UI_SHOW_LAST_USED"] = True
     app.config["UI_NO_AWOO"] = False
+    app.config["SESSION_TYPE"] = "sqlalchemy"
+    app.config["SESSION_SQLALCHEMY"] = db
 
     app.config.from_prefixed_env("DP")
 
     for var in ["OIDC_DISCOVERY_URL", "OIDC_CLIENT_ID", "OIDC_CLIENT_SECRET",
                 "SQLALCHEMY_DATABASE_URI"]:
         if not app.config.get(var):
             app.logger.error(f"{var} not set.")
-            exit(1)
+            raise ValueError(f"{var} not set.")
 
     try:
         hasher.hash("", scheme=app.config["PASSWORD_HASH"])
@@ -60,7 +61,7 @@ def create_app():
             f"Invalid password hash {app.config['PASSWORD_HASH']}",
             exc_info=sys.exc_info()
         )
-        exit(1)
+        raise
 
     try:
         int(app.config["PASSWORD_MAX_EXPIRATION_DAYS"])
@@ -70,27 +71,26 @@ def create_app():
             app.config['PASSWORD_MAX_EXPIRATION_DAYS'],
             exc_info=sys.exc_info()
         )
-        exit(1)
-
-    if not app.config.get("SECRET_KEY"):
-        app.logger.warning("No secret key set, generating a fresh one. "
-                           "Set one for a load balanced setup.")
-        app.config["SECRET_KEY"] = secrets.token_bytes(32)
+        raise
 
     init_db(app)
+    _ = Session(app)
 
     oidc = OIDC.from_app(app)
     for i in range(5):
         time.sleep(2**i-1)
         try:
             oidc.refresh_config()
-        except:
+        except Exception as e:
+            last = e
             app.logger.warning(f"Cannot connect to IdP (try {i+1}/5)",
                                exc_info=sys.exc_info())
         else:
             break
     else:
         app.logger.error("Cannot connect to IdP try (5/5).")
+        raise last
+
     # Manual overwriting keys here
     # Some IdPs may have different keys for consumer and business accounts,
     # and Oracle ICS instances would need authentication.
@@ -106,7 +106,6 @@ def create_app():
     def index():
         """Render the web interface or login."""
         if not valid_session(oidc):
-            session.clear()
             session["state"] = secrets.token_urlsafe(16)
             return redirect(oidc.get_login_uri(
                 session["state"], url_for("login", _external=True)
@@ -117,6 +116,7 @@ def index():
     @app.route("/login", methods=["GET", "POST"])
     def login():
         """Handle OpenID connect responses."""
+        print(session)
         if request.method == "GET":
             args = request.args
         else:
@@ -170,7 +170,9 @@ def logout():
         email = session["email"]
 
         if sid := session.get("sid"):
-            destroy_session(None, sid)
+            destroy_session(sid)
+        else:
+            session.clear()
 
         if logout_url := oidc.get_logout_url(
                 token, email, url_for("index", _external=True)
@@ -210,12 +212,11 @@ def frontchannel_logout():
         if iss and sid:
             if iss != oidc.config.get("iss"):
                 return abort(400, "Invalid issuer.")
-            destroy_session(None, sid)
-        else:
-            if sid := session.get("sid"):
-                destroy_session(None, sid)
-            else:
-                session.clear()
+            destroy_session(sid)
+        elif sid:
+            destroy_session(sid)
+
+        session.clear()
 
         return ""
 
@@ -250,11 +251,15 @@ def backchannel_logout():
         if not sid and not sub:
             app.logger.info("Sid or sub not present")
             abort(400)
+        if not sid:
+            app.logger.info("Sid not present (sub=%s)", sub)
+            return ""
 
         app.logger.info("Backchannel logout (sid=%s, sub=%s)",
                         sid or '-', sub or '-')
 
-        destroy_session(sub, sid)
+
+        destroy_session(sid)
         return ""
 
     @app.route("/api/tokens", methods=["GET", "POST", "DELETE"])
 
@@ -50,15 +50,17 @@ class Log(db.Model):
     tokenId: Mapped[Uuid] = mapped_column(ForeignKey("tokens.id"))
 
 
-class Session(db.Model):
-    __tablename__ = "session"
+class Revoked(db.Model):
+    __tablename__ = "revoked"
 
     sid: Mapped[str] = mapped_column(String, primary_key=True)
-    sub: Mapped[str] = mapped_column(String, nullable=False)
-    id_token: Mapped[str] = mapped_column(String, nullable=False)
-    refresh_token: Mapped[str] = mapped_column(String, nullable=True)
-    refresh_token_expiration: Mapped[datetime] = mapped_column(DateTime,
-                                                               nullable=True)
+
+    #sub: Mapped[str] = mapped_column(String, nullable=False)
+    #id_token: Mapped[str] = mapped_column(String, nullable=False)
+    #refresh_token: Mapped[str] = mapped_column(String, nullable=True)
+    #refresh_token_expiration: Mapped[datetime] = mapped_column(DateTime,
+    #                                                           nullable=True)
+
 
 def init_db(app: Flask):
     db.init_app(app)
 
@@ -10,7 +10,7 @@
 from flask import current_app, abort, session
 
 from . import OIDC
-from .db import db, Session
+from .db import db, Revoked
 from .oidc import Redeemed
 
 logger = logging.getLogger(__name__)
@@ -26,21 +26,18 @@ def valid_session(oidc: OIDC) -> bool:
     if not (sid := session.get("sid")):
         return not expired
 
-    # Session not in database
-    if (sinfo := db.session.get(Session, sid)) is None:
+    if db.session.get(Revoked, sid) is not None:
         return False
-    if not expired:
-        return True
 
-    # Session is expired and cannot be refreshed in any way.
-    if expired and (not sinfo.refresh_token or (
-            sinfo.refresh_token_expiration is not None and
-            sinfo.refresh_token_expiration < datetime.now()
+    if expired and (
+            not session.get("refresh_token") or (
+                session.get("refresh_token_expiration") is not None and
+                session.get("refresh_token_expiration") < datetime.now()
     )):
         return False
 
     current_app.logger.info("Refreshing session (sid=%s)" % sid)
-    redeemed, e = oidc.redeem_refresh(sinfo.refresh_token)
+    redeemed, e = oidc.redeem_refresh(session.get("refresh_token"))
     if e is not None:
         current_app.logger.warning(
             "Refreshing failed (sid=%s)" % sid,
@@ -51,19 +48,17 @@ def valid_session(oidc: OIDC) -> bool:
 
     current_app.logger.info("Refreshing successful (sid=%s)" % sid)
 
-    sinfo.id_token = redeemed.id_token
-    sinfo.refresh_token = redeemed.refresh_token
+    session["id_token"] = redeemed.id_token
+    session["refresh_token"] = redeemed.refresh_token
     if redeemed.expires_in:
-        sinfo.refresh_token_expiration = (
+        session["refresh_token_expiration"] = (
                 datetime.now() +
                 timedelta(seconds=redeemed.refresh_token_expires_in)
         )
     else:
-        sinfo.refresh_token_expiration = None
+        session["refresh_token_expiration"] = None
 
     update_session(redeemed.id_token, redeemed.claims, redeemed.profile)
-    db.session.add(sinfo)
-    db.session.commit()
 
     return True
 
@@ -72,35 +67,20 @@ def destroy_session(sub=None, sid=None):
     session.clear()
 
     if sid:
-        if (sess := db.session.get(Session, sid)) is not None:
-            db.session.delete(sess)
-    elif sub:
-        for sess in db.session.execute(
-                db.select(Session).filter_by(sub=sub)
-        ).scalars() or []:
-            db.session.delete(sess)
-
-    db.session.commit()
+        db.session.add(Revoked(sid=sid))
+        db.session.commit()
 
 
 def new_session(redeemed: Redeemed):
-    session.clear()
     session["state"] = secrets.token_urlsafe(16)
-
-    update_session(redeemed.id_token, redeemed.claims, redeemed.profile)
-    if not (sid := redeemed.claims.get("sid")):
-        return
-    sess = db.session.get(Session, sid) or Session(sid=sid)
-    sess.sub = redeemed.claims.get("sub")
-    sess.id_token = redeemed.id_token
-    sess.refresh_token = redeemed.refresh_token
+    session["id_token"] = redeemed.id_token
+    session["refresh_token"] = redeemed.refresh_token
+    session["sid"] = redeemed.claims.get("sid")
     if redeemed.refresh_token_expires_in:
-        sess.refresh_token_expiration = datetime.now() + \
-                                        timedelta(
-                                            seconds=redeemed.refresh_token_expires_in)
-
-    db.session.add(sess)
-    db.session.commit()
+        session["refresh_token_expiration"] \
+            = (datetime.now() +
+               timedelta(seconds=redeemed.refresh_token_expires_in))
+    update_session(redeemed.id_token, redeemed.claims, redeemed.profile)
 
 
 def update_session(id_token, claims, profile):
@@ -110,7 +90,7 @@ def update_session(id_token, claims, profile):
     session["token"] = id_token
 
     required = [
-        "sub", app.config["OIDC_CLAIM_EMAIL"],
+        "exp", "iss", "sub", app.config["OIDC_CLAIM_EMAIL"],
         app.config["OIDC_CLAIM_USERNAME"],
     ]
     if app.config.get("OIDC_CLAIM_VERIFIED"):
@@ -125,11 +105,10 @@ def update_session(id_token, claims, profile):
                   "Missing claim \"%s\". Contact your administrator."
                   % claim)
 
-    # Always present (more or less)
-    for claim in ["exp", "iss"]:
+    # Always present
+    for claim in ["exp", "sub"]:
         session[claim] = claims[claim]
 
-    session["sub"] = claims["sub"]
     if claims.get("sid"):
         session["sid"] = claims["sid"]