From fd2d689a0a8859fee7a8edecf487a320c11e7676 Mon Sep 17 00:00:00 2001
From: Steve Garon <steve.garon@cyber.gc.ca>
Date: Wed, 14 Jul 2021 16:06:25 +0000
Subject: [PATCH] Clear session before aborting with 401

---
 assemblyline_ui/api/base.py               | 1 +
 assemblyline_ui/security/authenticator.py | 5 +++++
 setup.py                                  | 1 -
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/assemblyline_ui/api/base.py b/assemblyline_ui/api/base.py
index 14e31503..66bece7d 100644
--- a/assemblyline_ui/api/base.py
+++ b/assemblyline_ui/api/base.py
@@ -60,6 +60,7 @@ def auto_auth_check(self):
                 except AuthenticationException:
                     msg = "Invalid user or APIKey"
                     LOGGER.warning(f"Authentication failure. (U:{uname} - IP:{ip}) [{msg}]")
+                    flsk_session.clear()
                     abort(401, msg)
                     return
 
diff --git a/assemblyline_ui/security/authenticator.py b/assemblyline_ui/security/authenticator.py
index efad8cf2..d2b2c1bb 100644
--- a/assemblyline_ui/security/authenticator.py
+++ b/assemblyline_ui/security/authenticator.py
@@ -70,12 +70,14 @@ def get_logged_in_user(self):
 
         if not session_id:
             current_app.logger.debug('session_id cookie not found')
+            flsk_session.clear()
             abort(401, "Session not found")
 
         session = KV_SESSION.get(session_id)
 
         if not session:
             current_app.logger.debug(f'[{session_id}] session_id not found in redis')
+            flsk_session.clear()
             abort(401, "Session expired")
         else:
             cur_time = now()
@@ -83,6 +85,7 @@ def get_logged_in_user(self):
                 KV_SESSION.pop(session_id)
                 current_app.logger.debug(f'[{session_id}] session has expired '
                                          f'{session.get("expire_at", 0)} < {cur_time}')
+                flsk_session.clear()
                 abort(401, "Session expired")
             else:
                 session['expire_at'] = cur_time + session.get('duration', 3600)
@@ -91,12 +94,14 @@ def get_logged_in_user(self):
                 request.headers.get("X-Forwarded-For", request.remote_addr) != session.get('ip', None):
             current_app.logger.debug(f'[{session_id}] X-Forwarded-For does not match session IP '
                                      f'{request.headers.get("X-Forwarded-For", None)} != {session.get("ip", None)}')
+            flsk_session.clear()
             abort(401, "Invalid source IP for this session")
 
         if config.ui.validate_session_useragent and \
                 request.headers.get("User-Agent", None) != session.get('user_agent', None):
             current_app.logger.debug(f'[{session_id}] User-Agent does not match session user_agent '
                                      f'{request.headers.get("User-Agent", None)} != {session.get("user_agent", None)}')
+            flsk_session.clear()
             abort(401, "Invalid user agent for this session")
 
         KV_SESSION.set(session_id, session)
diff --git a/setup.py b/setup.py
index 7c4d98cd..6ece11ab 100644
--- a/setup.py
+++ b/setup.py
@@ -42,7 +42,6 @@
         'python-socketio<5.0.0',
         'flask',
         'flask-socketio<5.0.0',
-        'greenlet',
         'gunicorn',
         'gevent',
         'gevent-websocket',