Some changes to authentication.

- Do not use session cookies for AWS/CWS, but regular cookies
- Allow authentication in CWS without IP autologin or cookies, but with
  a `X-CMS-Authorization` header.

Author: veluca93

cms/server/admin/authentication.py

@@ -144,7 +144,8 @@ def my_start_response(status, headers, exc_info=None):
             """
             response = Response(status=status, headers=headers)
             self._cookie.save_cookie(
-                response, AWSAuthMiddleware.COOKIE, httponly=True)
+                response, AWSAuthMiddleware.COOKIE, httponly=True,
+                max_age=config.admin_cookie_duration)
             return start_response(
                 status, response.headers.to_wsgi_list(), exc_info)
 

cms/server/contest/authentication.py

@@ -164,6 +164,7 @@ def authenticate_request(
     contest: Contest,
     timestamp: datetime,
     cookie: bytes | None,
+    authorization_header: bytes | None,
     ip_address: AnyIPAddress,
 ) -> tuple[Participation | None, bytes | None]:
     """Authenticate a user returning to the site, with a cookie.
@@ -180,6 +181,9 @@ def authenticate_request(
     - if IP autologin is enabled, we look for a participation whose IP
       address matches the remote IP address; if a match is found, the
       user is authenticated as that participation;
+    - if username/password authentication is enabled, and a
+      "X-CMS-Authorization" header is present and valid, the
+      corresponding participation is returned.
     - if username/password authentication is enabled, and the cookie
       is valid, the corresponding participation is returned, together
       with a refreshed cookie.
@@ -219,8 +223,8 @@ def authenticate_request(
 
     if participation is None \
             and contest.allow_password_authentication:
-        participation, cookie = _authenticate_request_from_cookie(
-            sql_session, contest, timestamp, cookie)
+        participation, cookie = _authenticate_request_from_cookie_or_authorization_header(
+            sql_session, contest, timestamp, authorization_header if authorization_header is not None else cookie)
 
     if participation is None:
         return None, None
@@ -305,7 +309,7 @@ def _authenticate_request_by_ip_address(
     return participation
 
 
-def _authenticate_request_from_cookie(
+def _authenticate_request_from_cookie_or_authorization_header(
     sql_session: Session, contest: Contest, timestamp: datetime, cookie: bytes | None
 ) -> tuple[Participation | None, bytes | None]:
     """Return the current participation based on the cookie.
@@ -316,8 +320,8 @@ def _authenticate_request_from_cookie(
         execute queries.
     contest: the contest the user is trying to access.
     timestamp: the date and the time of the request.
-    cookie: the cookie the user's browser provided in the
-        request (if any).
+    cookie: the contents of the cookie (or authorization header)
+        provided in the request (if any).
 
     return: the participation
         extracted from the cookie and the cookie to set/refresh, or

cms/server/contest/handlers/contest.py

@@ -49,7 +49,7 @@
     import tornado.web as tornado_web
 
 from cms import config, TOKEN_MODE_MIXED
-from cms.db import Contest, Submission, Task, UserTest
+from cms.db import Contest, Submission, Task, UserTest, contest
 from cms.locale import filter_language_codes
 from cms.server import FileHandlerMixin
 from cms.server.contest.authentication import authenticate_request
@@ -73,6 +73,7 @@ class ContestHandler(BaseHandler):
     child of this class.
 
     """
+
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.contest_url: Url = None
@@ -139,6 +140,9 @@ def get_current_user(self) -> Participation | None:
         - if IP autologin is enabled, the remote IP address is matched
           with the participation IP address; if a match is found, that
           participation is returned; in case of errors, None is returned;
+        - if username/password authentication is enabled, and a
+          "X-CMS-Authorization" header is present and valid, the
+          corresponding participation is returned.
         - if username/password authentication is enabled, and the cookie
           is valid, the corresponding participation is returned, and the
           cookie is refreshed.
@@ -164,12 +168,16 @@ def get_current_user(self) -> Participation | None:
             return None
 
         participation, cookie = authenticate_request(
-            self.sql_session, self.contest, self.timestamp, cookie, ip_address)
+            self.sql_session, self.contest,
+            self.timestamp, cookie,
+            self.request.headers.get("X-CMS-Authorization", None),
+            ip_address)
 
         if cookie is None:
             self.clear_cookie(cookie_name)
         elif self.refresh_cookie:
-            self.set_secure_cookie(cookie_name, cookie, expires_days=None)
+            self.set_secure_cookie(
+                cookie_name, cookie, expires_days=None, max_age=config.cookie_duration)
 
         return participation
 

cms/server/contest/handlers/main.py

@@ -183,7 +183,8 @@ def _get_user(self) -> User:
 
         # Find user if it exists
         user: User | None = (
-            self.sql_session.query(User).filter(User.username == username).first()
+            self.sql_session.query(User).filter(
+                User.username == username).first()
         )
         if user is None:
             raise tornado_web.HTTPError(404)
@@ -200,7 +201,8 @@ def _get_team(self) -> Team | None:
             try:
                 team_code: str = self.get_argument("team")
                 team: Team | None = (
-                    self.sql_session.query(Team).filter(Team.code == team_code).one()
+                    self.sql_session.query(Team).filter(
+                        Team.code == team_code).one()
                 )
             except (tornado_web.MissingArgumentError, NoResultFound):
                 raise tornado_web.HTTPError(400)
@@ -246,7 +248,8 @@ def post(self):
         if cookie is None:
             self.clear_cookie(cookie_name)
         else:
-            self.set_secure_cookie(cookie_name, cookie, expires_days=None)
+            self.set_secure_cookie(
+                cookie_name, cookie, expires_days=None, max_age=config.cookie_duration)
 
         if participation is None:
             self.redirect(error_page)
@@ -295,7 +298,8 @@ class NotificationsHandler(ContestHandler):
     def get(self):
         participation: Participation = self.current_user
 
-        last_notification: str | None = self.get_argument("last_notification", None)
+        last_notification: str | None = self.get_argument(
+            "last_notification", None)
         if last_notification is not None:
             last_notification = make_datetime(float(last_notification))
 
@@ -380,7 +384,7 @@ def get(self):
         language_docs = []
         if config.docs_path is not None:
             for language in languages:
-                ext = language.source_extensions[0][1:] # remove dot
+                ext = language.source_extensions[0][1:]  # remove dot
                 path = os.path.join(config.docs_path, ext)
                 if os.path.exists(path):
                     language_docs.append((language.name, ext))

cmstestsuite/unit_tests/server/contest/authentication_test.py

@@ -175,6 +175,7 @@ def attempt_authentication(self, **kwargs):
             self.session, self.contest,
             kwargs.get("timestamp", self.timestamp),
             kwargs.get("cookie", self.cookie),
+            kwargs.get("authorization", None),
             ipaddress.ip_address(kwargs.get("ip_address", "10.0.0.1")))
 
     def assertSuccess(self, **kwargs):
@@ -327,6 +328,11 @@ def test_invalid_cookie(self):
         self.assertFailure(cookie=None)
         self.assertFailure(cookie="not a valid cookie")
 
+    def test_authorization_header(self):
+        self.contest.ip_autologin = False
+        self.contest.allow_password_authentication = True
+        self.assertSuccess(cookie=None, authorization=self.cookie)
+
     def test_no_user(self):
         self.session.delete(self.user)
         self.assertFailure()