Update pyramid-session-redis to 1.5.3 (was 1.5.0)

See merge request tildes/tildes!177

tildes/development.ini

@@ -32,6 +32,7 @@ redis.sessions.unix_socket_path = %(redis.unix_socket_path)s
 redis.sessions.prefix = session:
 redis.sessions.cookie_secure = true
 redis.sessions.cookie_max_age = 31536000
+redis.sessions.cookie_samesite = Lax
 
 # Set session timeout to 10 mins by default, we'll extend it when people log in
 redis.sessions.timeout = 600

tildes/production.ini.example

@@ -10,6 +10,7 @@ redis.sessions.unix_socket_path = %(redis.unix_socket_path)s
 redis.sessions.prefix = session:
 redis.sessions.cookie_secure = true
 redis.sessions.cookie_max_age = 31536000
+redis.sessions.cookie_samesite = Lax
 
 # disable the python timeout management in pyramid-session-redis
 redis.sessions.python_expires = false

tildes/requirements-dev.txt

@@ -78,7 +78,7 @@ pyramid-debugtoolbar==4.12.1
 pyramid-ipython==0.2
 pyramid-jinja2==2.10.1
 pyramid-mako==1.1.0
-pyramid-session-redis==1.5.0
+pyramid-session-redis==1.5.3
 pyramid-tm==2.6
 pyramid-webassets==0.10
 pytest==8.4.1

tildes/requirements.in

@@ -22,7 +22,7 @@ pyotp
 pyramid<2.0
 pyramid-ipython
 pyramid-jinja2
-pyramid-session-redis==1.5.0  # 1.5.1 has a change that will invalidate current sessions
+pyramid-session-redis==1.5.3 # TODO: allow 1.8.0+ after legacy cookie sessions expire
 pyramid-tm
 pyramid-webassets
 python-dateutil

tildes/requirements.txt

@@ -49,7 +49,7 @@ pyproject-hooks==1.2.0
 pyramid==1.10.8
 pyramid-ipython==0.2
 pyramid-jinja2==2.10.1
-pyramid-session-redis==1.5.0
+pyramid-session-redis==1.5.3
 pyramid-tm==2.6
 pyramid-webassets==0.10
 python-dateutil==2.9.0.post0

tildes/tildes/__init__.py

@@ -7,6 +7,7 @@ import sentry_sdk
 from marshmallow.exceptions import ValidationError
 from paste.deploy.config import PrefixMiddleware
 from pyramid.config import Configurator
+from pyramid_session_redis.legacy import GracefulCookieSerializer
 from sentry_sdk.integrations.pyramid import PyramidIntegration
 from webassets import Bundle
 
@@ -16,6 +17,19 @@ def main(global_config: dict[str, str], **settings: str) -> PrefixMiddleware:
     config = Configurator(settings=settings)
 
     config.include("cornice")
+
+    # Pass a cookie_signer to migrate legacy sessions
+    # from pyramid_session_redis 1.5.0 to 1.5.1+.
+    # We should remove this settings override after all legacy cookies expire.
+    config.add_settings(
+        {
+            "redis.sessions.cookie_signer": GracefulCookieSerializer(
+                settings["redis.sessions.secret"]
+            ),
+            "redis.sessions.secret": None,
+        }
+    )
+
     config.include("pyramid_session_redis")
     config.include("pyramid_webassets")