This is something I wrote few days ago, also for GAE+AngularJS. Have a look maybe you could adopt it for your scenario.
Basic idea is:
1) When user logs in you generate a session token from user data, time and project data and send that as cookie. ( I'm using simple encoding at the moment. If you need look into some heavier encription).
2) You combine that cookie with your master key and save that in server session.
3) On following requests, you check if cookie matches header and if (when you combine them with master key) they match token you stored in session.
4) If they don't match, deny access
Full disclosure: I'm not any kind of security or optimization expert, so I don't know if this is good solution or not, it. This is something I deduced from various online sources, and haven't tested it yet, so use it with caution (;
class Handler( webapp2.RequestHandler ):
@property
def verified( self ):
if not self.user: _verified = False
else:
_verified = False
_cookie = self.request.cookies.get( 'XSRF-TOKEN' )
_header = self.request.headers.get( 'X-XSRF-TOKEN' )
if _header == _cookie and self.token == hashlib.sha1(
str( _header ) + '::' + MASTER_KEY ).hexdigest( ): _verified = True
return _verified
@webapp2.cached_property
def token( self ):
def generate_session_token( value ):
user_hash = hashlib.sha1( value ).hexdigest( )
time_hash = hashlib.sha1( '%s' % time.mktime( datetime.now( ).timetuple( ) ) ).hexdigest( )
app_hash = hashlib.sha1( PROJECT ).hexdigest( )
return hashlib.sha1( app_hash + '::' + user_hash + '::' + time_hash ).hexdigest( )
if 'XSRF-TOKEN' not in self.session:
_token = generate_session_token( self.user )
self.session.update( { 'XSRF-TOKEN': hashlib.sha1( _token + '::' + MASTER_KEY ).hexdigest( ) } )
return self.session.get( 'XSRF-TOKEN' )
def login_callback( self, provider ):
if provider == 'admin':
self.response.set_cookie( 'XSRF-TOKEN', self.token )
self.redirect( '/' )
def get(self):
if not self.verified: self.error( 401 )
else:
self.displayProject()