From 8debaa57d789d4754bc010498f55f45b2d4e2fe5 Mon Sep 17 00:00:00 2001
From: Preston Landers <planders@utexas.edu>
Date: Sun, 23 Jul 2017 10:17:32 -0500
Subject: [PATCH 1/3] Use `secrets` builtin module if available when
 autogenerating session secret.

---
 velruse/app/__init__.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/velruse/app/__init__.py b/velruse/app/__init__.py
index 51ec761..c046595 100644
--- a/velruse/app/__init__.py
+++ b/velruse/app/__init__.py
@@ -9,6 +9,10 @@
 from velruse.app.utils import generate_token
 from velruse.app.utils import redirect_form
 
+try:
+    import secrets
+except ImportError:
+    secrets = None
 
 log = __import__('logging').getLogger(__name__)
 
@@ -86,7 +90,10 @@ def default_setup(config):
         log.warn('Configuring unencrypted cookie-based session with a '
                  'random secret which will invalidate old cookies when '
                  'restarting the app.')
-        secret = ''.join('%02x' % ord(x) for x in os.urandom(16))
+        if secrets is not None:
+            secret = secrets.token_urlsafe(32)
+        else:
+            secret = ''.join('%02x' % ord(x) for x in os.urandom(16))
         log.info('autogenerated session secret: %s', secret)
     factory = UnencryptedCookieSessionFactoryConfig(
         secret, cookie_name=cookie_name)

From e630a349c432ba3f1a7b4ea7d57c441f9d1de6f0 Mon Sep 17 00:00:00 2001
From: Preston Landers <planders@utexas.edu>
Date: Sun, 23 Jul 2017 12:30:58 -0500
Subject: [PATCH 2/3] Use `pyramid.SignedCookieSessionFactory` instead of
 `UnencryptedCookieSessionFactoryConfig`

---
 velruse/app/__init__.py | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/velruse/app/__init__.py b/velruse/app/__init__.py
index c046595..d4d8d83 100644
--- a/velruse/app/__init__.py
+++ b/velruse/app/__init__.py
@@ -1,4 +1,5 @@
 import os
+import sys
 
 from anykeystore import create_store_from_settings
 
@@ -16,6 +17,8 @@
 
 log = __import__('logging').getLogger(__name__)
 
+PYTHON_2 = sys.version_info.major == 2
+
 
 def auth_complete_view(context, request):
     endpoint = request.registry.settings.get('endpoint')
@@ -77,7 +80,8 @@ def default_setup(config):
     specified then an in-memory storage backend will be used.
 
     """
-    from pyramid.session import UnencryptedCookieSessionFactoryConfig
+    # from pyramid.session import UnencryptedCookieSessionFactoryConfig
+    from pyramid.session import SignedCookieSessionFactory
 
     log.info('Using an unencrypted cookie-based session. This can be '
              'changed by pointing the "velruse.setup" setting at a different '
@@ -87,15 +91,18 @@ def default_setup(config):
     secret = settings.get('session.secret')
     cookie_name = settings.get('session.cookie_name', 'velruse.session')
     if secret is None:
-        log.warn('Configuring unencrypted cookie-based session with a '
-                 'random secret which will invalidate old cookies when '
-                 'restarting the app.')
+        log.info(
+            'Configuring unencrypted cookie-based session with a '
+            'random secret which will invalidate old cookies when '
+            'restarting the app.')
         if secrets is not None:
             secret = secrets.token_urlsafe(32)
-        else:
+        elif PYTHON_2:
             secret = ''.join('%02x' % ord(x) for x in os.urandom(16))
+        else:
+            secret = ''.join('%02x' % x for x in os.urandom(16))
         log.info('autogenerated session secret: %s', secret)
-    factory = UnencryptedCookieSessionFactoryConfig(
+    factory = SignedCookieSessionFactory(
         secret, cookie_name=cookie_name)
     config.set_session_factory(factory)
 

From 46889a0947694d752b210f7a2909db56ffe1ec2b Mon Sep 17 00:00:00 2001
From: Preston Landers <planders@utexas.edu>
Date: Mon, 24 Jul 2017 08:29:49 -0500
Subject: [PATCH 3/3] Handle case where `SignedCookieSessionFactory` is not
 available.

---
 velruse/app/__init__.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/velruse/app/__init__.py b/velruse/app/__init__.py
index d4d8d83..c95a650 100644
--- a/velruse/app/__init__.py
+++ b/velruse/app/__init__.py
@@ -80,8 +80,10 @@ def default_setup(config):
     specified then an in-memory storage backend will be used.
 
     """
-    # from pyramid.session import UnencryptedCookieSessionFactoryConfig
-    from pyramid.session import SignedCookieSessionFactory
+    try:
+        from pyramid.session import SignedCookieSessionFactory as SessionFactory
+    except ImportError:
+        from pyramid.session import UnencryptedCookieSessionFactoryConfig as SessionFactory
 
     log.info('Using an unencrypted cookie-based session. This can be '
              'changed by pointing the "velruse.setup" setting at a different '
@@ -102,8 +104,7 @@ def default_setup(config):
         else:
             secret = ''.join('%02x' % x for x in os.urandom(16))
         log.info('autogenerated session secret: %s', secret)
-    factory = SignedCookieSessionFactory(
-        secret, cookie_name=cookie_name)
+    factory = SessionFactory(secret, cookie_name=cookie_name)
     config.set_session_factory(factory)
 
     # setup backing storage