tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

start_session.py (2219B)

      1 import importlib
      2 from urllib.parse import parse_qs
      3 jwt_helper = importlib.import_module('device-bound-session-credentials.jwt_helper')
      4 session_manager = importlib.import_module('device-bound-session-credentials.session_manager')
      5 
      6 def main(request, response):
      7    test_session_manager = session_manager.find_for_request(request)
      8    extra_cookie_headers = test_session_manager.get_set_cookie_headers(test_session_manager.registration_extra_cookies, request)
      9    if test_session_manager.get_allows_challenges() and test_session_manager.get_registration_sends_challenge_before_instructions():
     10        # Only send back a challenge on the first call.
     11        test_session_manager.reset_registration_sends_challenge_before_instructions()
     12        return (403, [('Secure-Session-Challenge', '"login_challenge_value"')] + extra_cookie_headers, "")
     13 
     14    session_id = test_session_manager.create_new_session()
     15    if test_session_manager.get_allows_challenges():
     16        jwt_header, jwt_payload, verified = jwt_helper.decode_jwt(request.headers.get("Secure-Session-Response").decode('utf-8'))
     17        test_session_manager.set_session_key(session_id, jwt_header.get('jwk'))
     18 
     19        if not verified or jwt_payload.get("jti") != "login_challenge_value":
     20            return (400, list(response.headers) + extra_cookie_headers, "")
     21 
     22        if jwt_payload.get("authorization") != test_session_manager.get_authorization_value():
     23            return (400, list(response.headers) + extra_cookie_headers, "")
     24 
     25        if jwt_payload.get("sub") is not None:
     26            return (400, list(response.headers) + extra_cookie_headers, "")
     27 
     28    if test_session_manager.get_has_custom_query_param() and 'registrationQueryParam' not in parse_qs(request.url_parts.query):
     29        return (400, list(response.headers) + extra_cookie_headers, "")
     30 
     31    (code, headers, body) = test_session_manager.get_session_instructions_response(session_id, request)
     32    headers += extra_cookie_headers
     33    if test_session_manager.get_allows_challenges() and  test_session_manager.get_registration_sends_challenge_with_instructions():
     34        headers.append(('Secure-Session-Challenge', f'"login_challenge_value";id="{session_id}"'))
     35    return (code, headers, body)