Island: Disable session-based cookies in Flask

ilija-lazoroski · ilija-lazoroski · commit e99a468583bd · 2023-03-03T13:00:49.000+01:00
Issue: #2157 PR: #3044
diff --git a/monkey/monkey_island/cc/app.py b/monkey/monkey_island/cc/app.py
@@ -4,7 +4,8 @@
 from typing import Iterable, Set, Type
 
 import flask_restful
-from flask import Flask, Response, send_from_directory
+from flask import Flask, Response, g, send_from_directory
+from flask.sessions import SecureCookieSessionInterface
 from flask_mongoengine import MongoEngine
 from flask_security import ConfirmRegisterForm, MongoEngineUserDatastore, Security
 from werkzeug.exceptions import NotFound
@@ -88,6 +89,9 @@ def setup_authentication(app, data_dir):
     # Ignore CSRF, because it's irrelevant for javascript applications
     app.config["WTF_CSRF_CHECK_DEFAULT"] = False
     app.config["SECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS"] = True
+    # In Token Authentication we can pass the token both in query parametar and header
+    # This disables the query parameter token
+    app.config["SECURITY_TOKEN_AUTHENTICATION_KEY"] = None
 
     # The database object needs to be created after we configure the flask application
     db = MongoEngine(app)
@@ -109,12 +113,31 @@ class CustomConfirmRegisterForm(ConfirmRegisterForm):
             "Email", default="dummy@dummy.com", validators=[validate_no_user_exists_already]
         )
 
+    from flask_login import user_loaded_from_request
+
+    @user_loaded_from_request.connect
+    def user_loaded_from_request(self, user=None):
+        g.login_via_request = True
+
+    class CustomSessionInterface(SecureCookieSessionInterface):
+        """Prevent creating session from API requests."""
+
+        def should_set_cookie(self, *args, **kwargs):
+            return False
+
+        def save_session(self, *args, **kwargs):
+            if g.get("login_via_request"):
+                return
+            return super(CustomSessionInterface, self).save_session(*args, **kwargs)
+
     app.security = Security(
         app,
         user_datastore,
         confirm_register_form=CustomConfirmRegisterForm,
     )
 
+    app.session_interface = CustomSessionInterface()
+
 
 def init_app_config(app, mongo_url, data_dir: Path):
     app.config["MONGO_URI"] = mongo_url
diff --git a/vulture_allowlist.py b/vulture_allowlist.py
@@ -102,6 +102,9 @@
 app.url_map.strict_slashes
 api.representations
 hub.exception_stream
+app.login_via_request
+app.should_set_cookie
+app.session_interface
 
 # Deployment is chosen dynamically
 Deployment.DEVELOP
