Get # of days from config

- Also cleaned up tests
- Also changed cookie to strict

Author: ristomcgehee

tests/unit/accounts/test_views.py

@@ -14,6 +14,8 @@
 import json
 import uuid
 
+from datetime import timedelta
+
 import freezegun
 import pretend
 import pytest
@@ -48,7 +50,6 @@
 )
 from warehouse.accounts.views import (
     REMEMBER_DEVICE_COOKIE,
-    REMEMBER_DEVICE_SECONDS,
     two_factor_and_totp_validate,
 )
 from warehouse.admin.flags import AdminFlag, AdminFlagValue
@@ -600,7 +601,7 @@ def test_get_returns_totp_form(self, pyramid_request, redirect_url):
             ITokenService: token_service,
             IUserService: user_service,
         }[interface]
-
+        pyramid_request.registry.settings = {"remember_device.days": 30}
         pyramid_request.query_string = pretend.stub()
 
         form_obj = pretend.stub()
@@ -613,7 +614,7 @@ def test_get_returns_totp_form(self, pyramid_request, redirect_url):
         assert token_service.loads.calls == [
             pretend.call(pyramid_request.query_string, return_timestamp=True)
         ]
-        assert result == {"totp_form": form_obj}
+        assert result == {"totp_form": form_obj, "remember_device_days": 30}
         assert form_class.calls == [
             pretend.call(
                 pyramid_request.POST,
@@ -653,16 +654,17 @@ def test_get_returns_webauthn(self, pyramid_request, redirect_url):
             ITokenService: token_service,
             IUserService: user_service,
         }[interface]
-
+        pyramid_request.registry.settings = {"remember_device.days": 30}
         pyramid_request.query_string = pretend.stub()
+
         result = views.two_factor_and_totp_validate(
             pyramid_request, _form_class=pretend.stub()
         )
 
         assert token_service.loads.calls == [
             pretend.call(pyramid_request.query_string, return_timestamp=True)
         ]
-        assert result == {"has_webauthn": True}
+        assert result == {"has_webauthn": True, "remember_device_days": 30}
 
     @pytest.mark.parametrize("redirect_url", [None, "/foo/bar/", "/wat/"])
     def test_get_returns_recovery_code_status(self, pyramid_request, redirect_url):
@@ -693,7 +695,7 @@ def test_get_returns_recovery_code_status(self, pyramid_request, redirect_url):
             ITokenService: token_service,
             IUserService: user_service,
         }[interface]
-
+        pyramid_request.registry.settings = {"remember_device.days": 30}
         pyramid_request.query_string = pretend.stub()
         result = views.two_factor_and_totp_validate(
             pyramid_request, _form_class=pretend.stub()
@@ -702,7 +704,7 @@ def test_get_returns_recovery_code_status(self, pyramid_request, redirect_url):
         assert token_service.loads.calls == [
             pretend.call(pyramid_request.query_string, return_timestamp=True)
         ]
-        assert result == {"has_recovery_codes": True}
+        assert result == {"has_recovery_codes": True, "remember_device_days": 30}
 
     @pytest.mark.parametrize("redirect_url", ["test_redirect_url", None])
     @pytest.mark.parametrize("has_recovery_codes", [True, False])
@@ -770,6 +772,7 @@ def test_totp_auth(
             lambda *args: None
         )
         pyramid_request.session.record_password_timestamp = lambda timestamp: None
+        pyramid_request.registry.settings = {"remember_device.days": 30}
 
         form_obj = pretend.stub(
             validate=pretend.call_recorder(lambda: True),
@@ -862,6 +865,7 @@ def test_totp_form_invalid(self):
                 IUserService: user_service,
             }[interface],
             query_string=pretend.stub(),
+            registry=pretend.stub(settings={"remember_device.days": 30}),
         )
 
         form_obj = pretend.stub(
@@ -875,7 +879,7 @@ def test_totp_form_invalid(self):
         assert token_service.loads.calls == [
             pretend.call(request.query_string, return_timestamp=True)
         ]
-        assert result == {"totp_form": form_obj}
+        assert result == {"totp_form": form_obj, "remember_device_days": 30}
 
     def test_two_factor_token_missing_userid(self, pyramid_request):
         token_service = pretend.stub(
@@ -1149,7 +1153,7 @@ def test_check_remember_device_token_invalid_wrong_user(self):
         )
         assert not views._check_remember_device_token(request, 1)
 
-    def test_remember_device(self, monkeypatch, pyramid_request):
+    def test_remember_device(self):
         token_service = pretend.stub(dumps=lambda *a: "token_data")
         pyramid_request = pretend.stub(
             find_service=lambda interface, **kwargs: {
@@ -1160,6 +1164,9 @@ def test_remember_device(self, monkeypatch, pyramid_request):
             user=pretend.stub(
                 record_event=pretend.call_recorder(lambda *a, **kw: None)
             ),
+            registry=pretend.stub(
+                settings={"remember_device.seconds": timedelta(days=30).total_seconds()}
+            ),
         )
         response = pretend.stub(set_cookie=pretend.call_recorder(lambda *a, **kw: None))
 
@@ -1169,10 +1176,10 @@ def test_remember_device(self, monkeypatch, pyramid_request):
             pretend.call(
                 REMEMBER_DEVICE_COOKIE,
                 "token_data",
-                max_age=REMEMBER_DEVICE_SECONDS,
+                max_age=timedelta(days=30).total_seconds(),
                 httponly=True,
                 secure=True,
-                samesite=b"lax",
+                samesite=b"strict",
                 path="/accounts/login",
             )
         ]
@@ -1236,7 +1243,6 @@ def test_get_returns_form(self, pyramid_request):
             ITokenService: token_service,
             IUserService: user_service,
         }[interface]
-
         pyramid_request.query_string = pretend.stub()
 
         form_obj = pretend.stub()
@@ -1383,6 +1389,7 @@ def test_recovery_code_form_invalid(self):
                 IUserService: user_service,
             }[interface],
             query_string=pretend.stub(),
+            # registry=pretend.stub(settings={"remember_device.days": 30}),
         )
 
         form_obj = pretend.stub(

tests/unit/test_config.py

@@ -12,6 +12,7 @@
 
 import os
 
+from datetime import timedelta
 from unittest import mock
 
 import orjson
@@ -246,7 +247,9 @@ def __init__(self):
         "warehouse.commit": "null",
         "site.name": "Warehouse",
         "token.two_factor.max_age": 300,
-        "token.remember_device.max_age": 2592000,
+        "remember_device.days": 30,
+        "remember_device.seconds": timedelta(days=30).total_seconds(),
+        "token.remember_device.max_age": timedelta(days=30).total_seconds(),
         "token.default.max_age": 21600,
         "pythondotorg.host": "https://www.python.org",
         "warehouse.xmlrpc.client.ratelimit_string": "3600 per hour",

warehouse/accounts/views.py

@@ -94,7 +94,6 @@
 
 USER_ID_INSECURE_COOKIE = "user_id__insecure"
 REMEMBER_DEVICE_COOKIE = "remember_device"
-REMEMBER_DEVICE_SECONDS = 2592000  # 30 days
 
 
 @view_config(context=TooManyFailedLogins, has_translations=True)
@@ -334,6 +333,9 @@ def two_factor_and_totp_validate(request, _form_class=TOTPAuthenticationForm):
         two_factor_state["has_webauthn"] = True
     if user_service.has_recovery_codes(userid):
         two_factor_state["has_recovery_codes"] = True
+    two_factor_state["remember_device_days"] = request.registry.settings[
+        "remember_device.days"
+    ]
 
     if request.method == "POST":
         form = two_factor_state["totp_form"]
@@ -484,10 +486,10 @@ def _remember_device(request, response, userid, two_factor_method) -> None:
     response.set_cookie(
         REMEMBER_DEVICE_COOKIE,
         token,
-        max_age=REMEMBER_DEVICE_SECONDS,
+        max_age=request.registry.settings["remember_device.seconds"],
         httponly=True,
         secure=request.scheme == "https",
-        samesite=b"lax",
+        samesite=b"strict",
         path=request.route_path("accounts.login"),
     )
     request.user.record_event(

warehouse/config.py

@@ -17,6 +17,8 @@
 import os
 import shlex
 
+from datetime import timedelta
+
 import orjson
 import transaction
 
@@ -241,10 +243,17 @@ def configure(settings=None):
     )
     maybe_set(
         settings,
-        "token.remember_device.max_age",
-        "TOKEN_REMEMBER_DEVICE_MAX_AGE",
+        "remember_device.days",
+        "REMEMBER_DEVICE_DAYS",
         coercer=int,
-        default=2592000,  # 30 days,
+        default=30,
+    )
+    settings.setdefault(
+        "remember_device.seconds",
+        timedelta(days=settings.get("remember_device.days")).total_seconds(),
+    )
+    settings.setdefault(
+        "token.remember_device.max_age", settings.get("remember_device.seconds")
     )
     maybe_set(
         settings,

warehouse/templates/accounts/two-factor.html

@@ -61,7 +61,11 @@ <h2>
           <div class="form-group">
             <label>
               <input type="checkbox" id="remember_device_webauthn" name="remember_device" value="true" />
-              {% trans %}Remember this device for 30 days{% endtrans %}
+              {% trans remember_device_days=remember_device_days %}
+              Remember this device for {{ remember_device_days }} day
+              {% pluralize %}
+              Remember this device for {{ remember_device_days }} days
+              {% endtrans %}
             </label>
           </div>
 
@@ -123,7 +127,11 @@ <h2>{% trans %}Authenticate with an app{% endtrans %}</h2>
           <div class="form-group">
             <label>
               <input type="checkbox" name="remember_device" value="true" />
-              {% trans %}Remember this device for 30 days{% endtrans %}
+              {% trans remember_device_days=remember_device_days %}
+              Remember this device for {{ remember_device_days }} day
+              {% pluralize %}
+              Remember this device for {{ remember_device_days }} days
+              {% endtrans %}
             </label>
           </div>