auth verification cookie

1 files changed, 48 insertions, 12 deletions

diff --git a/middleware/authentication.py b/middleware/authentication.py
index 90baa09..6be5437 100644
--- a/middleware/authentication.py
+++ b/middleware/authentication.py
@@ -1,10 +1,12 @@
+import json
+from django.utils import timezone
+from datetime import timedelta
 from django.shortcuts import redirect
 from django.contrib.auth import logout
-from django.urls import reverse
 from authentication.utils import (
     get_redirect_uri,
     get_discord_user,
-)  # Import your utility functions
+)
 
 
 class AuthMiddleware:
@@ -21,7 +23,6 @@ class AuthMiddleware:
             response = self.get_response(request)
             return response
 
-        # Perform the authentication check
         if (
             not request.user.is_authenticated
             or not request.user.discord_id
@@ -30,16 +31,51 @@ class AuthMiddleware:
             logout(request)
             return redirect(get_redirect_uri())
 
-        # Get the User's Discord Information
-        user = get_discord_user(
-            access_token=request.user.discord_access_token,
-            token_type=request.user.discord_token_type,
-        )
+        # Check the verification cookie
+        verification_cookie = request.COOKIES.get("guild_verified")
+        if verification_cookie:
+            try:
+                cookie_data = json.loads(verification_cookie)
+                verified_at = timezone.datetime.fromisoformat(
+                    cookie_data["verified_at"]
+                )
+                if timezone.now() > verified_at + timedelta(hours=24):
+                    # Verification expired, need to re-check
+                    raise ValueError("Verification expired")
+            except (json.JSONDecodeError, ValueError):
+                # Cookie is invalid or expired, need to re-check
+                pass
+        else:
+            # No verification cookie, need to check guild membership
+            pass
 
-        if not user["is_authorized"]:
-            logout(request)
-            return redirect(get_redirect_uri())
+        if not verification_cookie or not self._is_authorized(request):
+            user = get_discord_user(
+                access_token=request.user.discord_access_token,
+                token_type=request.user.discord_token_type,
+            )
+
+            if not user["is_authorized"]:
+                logout(request)
+                response = redirect(get_redirect_uri())
+                response.delete_cookie("guild_verified")  # Ensure cookie is removed
+                return response
+
+            # Set the verification cookie
+            response = self.get_response(request)
+            response.set_cookie(
+                "guild_verified",
+                json.dumps({"verified_at": timezone.now().isoformat()}),
+                max_age=24 * 60 * 60,  # Cookie expires after 24 hours
+                httponly=True,  # Cookie cannot be accessed via JavaScript
+                secure=True,  # Ensure cookie is sent over HTTPS
+            )
+            return response
 
-        # Proceed to the view
         response = self.get_response(request)
         return response
+
+    def _is_authorized(self, request):
+        # Check if the user is authorized based on the current cookie or session
+        # This function should ideally be a lightweight check
+        return True