fix: replace filesystem sessions with Flask signed-cookie sessions#70
Conversation
Flask-Session with SESSION_TYPE=filesystem requires /data/flask_session to exist and be persistent. When unavailable (fresh deploy, missing volume mount, local dev), the code_verifier is silently lost between /auth/google and /auth/callback, causing Google to reject the token exchange with invalid_grant: Missing code verifier. Signed-cookie sessions (Flask's built-in default) store auth state in the browser cookie — no filesystem, no volume mounts, no PKCE failures. Aligns with the constitution's no-persistent-volumes principle. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request removes the flask-session dependency and transitions the application to Flask's built-in signed-cookie sessions, eliminating the need for filesystem-based session storage. The changes include removing the import, configuration keys, and initialization of flask-session in app.py, as well as updating requirements.txt. Feedback indicates that corresponding obsolete session configurations in tests/conftest.py should also be removed to maintain consistency and avoid dead configuration.
| app.config["SECRET_KEY"] = secret_key | ||
| app.config["SESSION_TYPE"] = "filesystem" | ||
| app.config["SESSION_FILE_DIR"] = "/data/flask_session" | ||
| # Only require HTTPS cookies in production (localhost uses HTTP) |
There was a problem hiding this comment.
The removal of SESSION_TYPE and SESSION_FILE_DIR is correct for the switch to cookie-based sessions. However, the test configuration in tests/conftest.py (lines 39-40) still contains these keys and attempts to set up a filesystem session directory. This will lead to dead configuration and potential confusion in the test suite. Please update the app fixture in tests/conftest.py to remove the obsolete session configuration.
References
- Maintainability: Adherence to language idioms and best practices, including removing dead configuration. (link)
1 participant
Summary
flask-sessionand its filesystem-based session storageinvalid_grant: Missing code verifierOAuth error caused by PKCEcode_verifierbeing lost when/data/flask_sessionis unavailableWhy
SESSION_TYPE=filesystemrequired/data/flask_sessionto exist as a persistent volume. When missing (fresh deploy, local dev), the session silently failed —code_verifiercame backNonefrom the session on callback, and Google rejected the token exchange. Cookie sessions store auth state in the signed browser cookie, requiring zero filesystem access.Test plan
invalid_granterror🤖 Generated with Claude Code