Merge branch 'upgrade-pyramid-session-redis-1.7' into 'develop-1.101'

Draft: Update pyramid-session-redis to 1.5.3 (was 1.5.0) See merge request tildes/tildes!175
4 weeks ago · eed970f715
6 changed files with 19 additions and 3 deletions
--- a/tildes/development.ini
+++ b/tildes/development.ini
@ -32,6 +32,7 @@ redis.sessions.unix_socket_path = %(redis.unix_socket_path)s
 redis.sessions.prefix = session:
 redis.sessions.cookie_secure = true
 redis.sessions.cookie_max_age = 31536000
+redis.sessions.cookie_samesite = Lax

 # Set session timeout to 10 mins by default, we'll extend it when people log in
 redis.sessions.timeout = 600
--- a/tildes/production.ini.example
+++ b/tildes/production.ini.example
@ -10,6 +10,7 @@ redis.sessions.unix_socket_path = %(redis.unix_socket_path)s
 redis.sessions.prefix = session:
 redis.sessions.cookie_secure = true
 redis.sessions.cookie_max_age = 31536000
+redis.sessions.cookie_samesite = Lax

 # disable the python timeout management in pyramid-session-redis
 redis.sessions.python_expires = false
--- a/tildes/requirements-dev.txt
+++ b/tildes/requirements-dev.txt
@ -91,7 +91,7 @@ pyramid-ipython==0.2
 pyramid-jinja2==2.10.1
 pyramid-mako==1.1.0
 pyramid-openapi3==0.21.0
-pyramid-session-redis==1.5.0
+pyramid-session-redis==1.5.3
 pyramid-tm==2.6
 pyramid-webassets==0.10
 pytest==8.4.1
--- a/tildes/requirements.in
+++ b/tildes/requirements.in
@ -23,7 +23,7 @@ pyramid<2.0
 pyramid-ipython
 pyramid-jinja2
 pyramid-openapi3>=0.17.0
-pyramid-session-redis==1.5.0  # 1.5.1 has a change that will invalidate current sessions
+pyramid-session-redis==1.5.3 # TODO: allow 1.8.0+ after legacy cookie sessions expire
 pyramid-tm
 pyramid-webassets
 python-dateutil
--- a/tildes/requirements.txt
+++ b/tildes/requirements.txt
@ -62,7 +62,7 @@ pyramid==1.10.8
 pyramid-ipython==0.2
 pyramid-jinja2==2.10.1
 pyramid-openapi3==0.21.0
-pyramid-session-redis==1.5.0
+pyramid-session-redis==1.5.3
 pyramid-tm==2.6
 pyramid-webassets==0.10
 python-dateutil==2.9.0.post0
--- a/tildes/tildes/init.py
+++ b/tildes/tildes/init.py
@ -7,6 +7,7 @@ import sentry_sdk
 from marshmallow.exceptions import ValidationError
 from paste.deploy.config import PrefixMiddleware
 from pyramid.config import Configurator
+from pyramid_session_redis.legacy import GracefulCookieSerializer
 from sentry_sdk.integrations.pyramid import PyramidIntegration
 from webassets import Bundle

@ -16,6 +17,19 @@ def main(global_config: dict[str, str], **settings: str) -> PrefixMiddleware:
    config = Configurator(settings=settings)

    config.include("cornice")
+
+    # Pass a cookie_signer to migrate legacy sessions
+    # from pyramid_session_redis 1.5.0 to 1.5.1+.
+    # We should remove this settings override after all legacy cookies expire.
+    config.add_settings(
+        {
+            "redis.sessions.cookie_signer": GracefulCookieSerializer(
+                settings["redis.sessions.secret"]
+            ),
+            "redis.sessions.secret": None,
+        }
+    )
+
    config.include("pyramid_session_redis")
    config.include("pyramid_webassets")
    config.include("pyramid_openapi3")