From a6dcce9b5b02599f3eae351f134ba73813e54c92 Mon Sep 17 00:00:00 2001 From: Philipp Rudiger Date: Mon, 16 Oct 2023 13:44:51 +0200 Subject: [PATCH] Override token contents when reusing sessions (#5640) --- panel/io/server.py | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/panel/io/server.py b/panel/io/server.py index af19eb7bfb..776b04ce1e 100644 --- a/panel/io/server.py +++ b/panel/io/server.py @@ -481,6 +481,35 @@ async def get_session(self): session.block_expiration() return session + def _token_payload(self): + app = self.application + if app.include_headers is None: + excluded_headers = (app.exclude_headers or []) + allowed_headers = [header for header in self.request.headers + if header not in excluded_headers] + else: + allowed_headers = app.include_headers + headers = {k: v for k, v in self.request.headers.items() + if k in allowed_headers} + + if app.include_cookies is None: + excluded_cookies = (app.exclude_cookies or []) + allowed_cookies = [cookie for cookie in self.request.cookies + if cookie not in excluded_cookies] + else: + allowed_cookies = app.include_cookies + cookies = {k: v.value for k, v in self.request.cookies.items() + if k in allowed_cookies} + + if cookies and 'Cookie' in headers and 'Cookie' not in (app.include_headers or []): + # Do not include Cookie header since cookies can be restored from cookies dict + del headers['Cookie'] + + arguments = {} if self.request.arguments is None else self.request.arguments + payload = {'headers': headers, 'cookies': cookies, 'arguments': arguments} + payload.update(self.application_context.application.process_request(self.request)) + return payload + @authenticated async def get(self, *args, **kwargs): app = self.application @@ -494,6 +523,7 @@ async def get(self, *args, **kwargs): signed=self.application.sign_sessions ) payload = get_token_payload(session.token) + payload.update(self._token_payload()) del payload['session_expiry'] token = generate_jwt_token( session_id,