Simplify SessionKey usage

netbox/secrets/api/views.py

@@ -1,6 +1,7 @@
 import base64
 from Crypto.PublicKey import RSA
 
+from django.core.urlresolvers import reverse
 from django.http import HttpResponseBadRequest
 
 from rest_framework.authentication import BasicAuthentication, SessionAuthentication
@@ -113,11 +114,9 @@ class GetSessionKeyViewSet(ViewSet):
         curl -v -X POST -H "Authorization: Token <token>" -H "Accept: application/json; indent=4" \\
         --data-urlencode "private_key@<filename>" https://netbox/api/secrets/get-session-key/
 
-    This request will yield a session key to be included in an `X-Session-Key` header in future requests, as well as its
-    expiration time:
+    This request will yield a base64-encoded session key to be included in an `X-Session-Key` header in future requests:
 
         {
-            "expiration_time": "2017-03-09T10:42:23.095267Z",
             "session_key": "+8t4SI6XikgVmB5+/urhozx9O5qCQANyOk1MNe6taRf="
         }
     """
@@ -149,14 +148,17 @@ class GetSessionKeyViewSet(ViewSet):
         # Create a new SessionKey
         sk = SessionKey(user=request.user)
         sk.save(master_key=master_key)
+        encoded_key = base64.b64encode(sk.key)
 
-        # Return the session key both as JSON and as a cookie
+        # Craft the response
         response = Response({
-            'session_key': base64.b64encode(sk.key),
-            'expiration_time': sk.expiration_time,
+            'session_key': encoded_key,
         })
-        # TODO: Limit cookie path to secrets API URLs
-        response.set_cookie('session_key', base64.b64encode(sk.key), expires=sk.expiration_time)
+
+        # If token authentication is not in use, assign the session key as a cookie
+        if request.auth is None:
+            response.set_cookie('session_key', value=encoded_key, path=reverse('secrets-api:secret-list'))
+
         return response
 
 

netbox/secrets/migrations/0002_add_sessionkeys.py

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# Generated by Django 1.10.4 on 2017-02-03 17:10
+# Generated by Django 1.10.6 on 2017-03-14 14:46
 from __future__ import unicode_literals
 
 from django.conf import settings
@@ -22,7 +22,6 @@ class Migration(migrations.Migration):
                 ('cipher', models.BinaryField(max_length=512)),
                 ('hash', models.CharField(editable=False, max_length=128)),
                 ('created', models.DateTimeField(auto_now_add=True)),
-                ('expiration_time', models.DateTimeField(blank=True, editable=False, null=True)),
                 ('user', models.OneToOneField(editable=False, on_delete=django.db.models.deletion.CASCADE, related_name='session_key', to=settings.AUTH_USER_MODEL)),
             ],
             options={

netbox/secrets/models.py

@@ -1,4 +1,3 @@
-import datetime
 import os
 from Crypto.Cipher import AES, PKCS1_OAEP, XOR
 from Crypto.PublicKey import RSA
@@ -9,7 +8,6 @@ from django.contrib.auth.models import Group, User
 from django.core.exceptions import ValidationError
 from django.core.urlresolvers import reverse
 from django.db import models
-from django.utils import timezone
 from django.utils.encoding import force_bytes, python_2_unicode_compatible
 
 from dcim.models import Device
@@ -192,7 +190,6 @@ class SessionKey(models.Model):
     cipher = models.BinaryField(max_length=512, editable=False)
     hash = models.CharField(max_length=128, editable=False)
     created = models.DateTimeField(auto_now_add=True)
-    expiration_time = models.DateTimeField(blank=True, null=True, editable=False)
 
     key = None
 
@@ -217,10 +214,6 @@ class SessionKey(models.Model):
         # Encrypt master key using the session key
         self.cipher = xor_keys(self.key, master_key)
 
-        # Calculate expiration time
-        # TODO: Define a SESSION_KEY_MAX_AGE configuration setting
-        self.expiration_time = timezone.now() + datetime.timedelta(hours=12)
-
         super(SessionKey, self).save(*args, **kwargs)
 
     def get_master_key(self, session_key):