Try moving the redirect to the app layer.

2013-10-01 16:48:19 -04:00 · 2013-10-01 16:48:19 -04:00 · 0cba17efe3
commit 0cba17efe3
parent a370130494
3 changed files with 24 additions and 4 deletions
--- a/config.py
+++ b/config.py
@ -60,6 +60,7 @@ class DebugConfig(FlaskConfig, MailConfig, LocalStorage, SQLiteDB):
    'level': logging.DEBUG,
    'format': LOG_FORMAT
  }
+  SECURE_REDIRECT = False


 class ProductionConfig(FlaskConfig, MailConfig, S3Storage, RDSMySQL):
@ -69,3 +70,4 @@ class ProductionConfig(FlaskConfig, MailConfig, S3Storage, RDSMySQL):
    'level': logging.DEBUG,
    'format': LOG_FORMAT,
  }
+  SECURE_REDIRECT = True
--- a/endpoints/web.py
+++ b/endpoints/web.py
@ -1,9 +1,11 @@
 import logging
+import urlparse

 from flask import (abort, send_file, redirect, request, url_for,
                   render_template)
 from flask.ext.login import login_user, UserMixin, login_required, logout_user
 from flask.ext.principal import identity_changed, Identity, AnonymousIdentity
+from functools import wraps

 from data import model
 from app import app, login_manager
@ -23,6 +25,20 @@ class _LoginWrappedDBUser(UserMixin):
    return unicode(self.db_user.username)


+def secure_required(f):
+  @wraps(f)
+  def decorated_view(*args, **kwargs):
+    if (app.config['SECURE_REDIRECT'] and 
+        request.environ['wsgi.url_scheme'] == 'http'):
+
+      logger.debug('Redirecting http url to https.')
+      parsed = urlparse.urlparse(request.url)
+      location = urlparse.urlunparse(('https',) + parsed[1:])
+      return redirect(location)
+    return f(*args, **kwargs)
+  return decorated_view
+
+
@login_manager.user_loader
 def load_user(username):
  logger.debug('Loading user: %s' % username)
@ -34,6 +50,7 @@ def load_user(username):


@app.route('/', methods=['GET'])
+@secure_required
 def index():
  return send_file('templates/index.html')

@ -50,11 +67,13 @@ def common_login(db_user):


@app.route('/signin', methods=['GET'])
+@secure_required
 def render_signin_page():
  return render_template('signin.html')


@app.route('/signin', methods=['POST'])
+@secure_required
 def signin():
  username = request.form['username']
  password = request.form['password']
@ -75,6 +94,7 @@ def signin():


@app.route('/confirm', methods=['GET'])
+@secure_required
 def confirm_email():
  code = request.values['code']
  user = model.confirm_user_email(code)
@ -85,11 +105,13 @@ def confirm_email():


@app.route('/reset', methods=['GET'])
+@secure_required
 def password_reset():
  pass


@app.route("/signout")
+@secure_required
@login_required
 def logout():
    logout_user()
--- a/wsgi.conf
+++ b/wsgi.conf
@ -8,10 +8,6 @@ WSGIPassAuthorization On
 <VirtualHost *:80>
  SetEnvIf X-Forwarded-Proto https HTTPS=1

-  RewriteEngine On
-  RewriteCond %{HTTP:X-Forwarded-Proto} !https
-  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=permanent]
-
  Alias /static /opt/python/current/app/static/
  <Directory /opt/python/current/app/>
    Order allow,deny