bump version to 2.1.0

Change for python 3.11 aioredis to redis.

CHANGELOG.md

@@ -0,0 +1,36 @@
+### 2.1.0
+
+- `session_cookie_name` fix
+
+### 2.0.0
+
+- Move from aioredis to redis
+
+### 1.0.7
+
+- Updated memcached support (removed asyncio.loop, removed coroutine decorator)
+
+### 1.0.6
+
+- MongoDB support
+- Transfer copyright to Kroket Ltd.
+
+### 1.0.3 2021-08-31
+
+- Migrated to aioredis 2
+- SameSite support https://github.com/kroketio/quart-session/commit/8daae3a6734e8f7da13954d5a1a5da8f5fc5a49a
+- Memcached stuff https://github.com/filak/quart-session/commit/004871c495a069784e57e604b69f65af1b7e645a
+
+### 1.0.0 2020-01-15
+
+- Added support for arbitrary usage of caching backends.
+    - Exposed `get`, `set`, `delete` on the session interface for direct usage.
+- Renamed `SESSION_HIJACK_REVERSE_PROXY` to `SESSION_REVERSE_PROXY`.
+- Renamed `SESSION_HIJACK_PROTECTION` to `SESSION_PROTECTION`.
+- Removed fallback when `X-Forwarded-For` is not present whilst USING `SESSION_REVERSE_PROXY`, emit error instead.
+- Fixed a bug where session timeouts would default to 600 seconds.
+- Deprecated/disabled the `dirty()` method.
+
+### 0.0.1 2020-01-04
+
+- Released initial pre alpha version.

LICENSE

@@ -1,5 +1,5 @@
 Copyright (c) 2014 by Shipeng Feng.
-Copyright (c) 2020 by dsc.
+Copyright (c) 2020 by Kroket Ltd.
 
 Some rights reserved.
 

MANIFEST.in

@@ -7,3 +7,4 @@ recursive-include quart_session *.md
 exclude .gitlab-ci.yml
 exclude examples
 exclude docs
+exclude venv

README.md

@@ -2,22 +2,21 @@
 
 ![pyversions](https://img.shields.io/pypi/pyversions/Quart-Session.svg) [![pypiversion](https://badge.fury.io/py/Quart-Session.svg)](https://pypi.org/project/Quart-Session/) ![PyPI license](https://img.shields.io/pypi/l/Quart-Session.svg)
 
-Quart-Session is an extension for Quart that adds support for
+Quart-Session is an extension for [Quart](https://gitlab.com/pgjones/quart/blob/master/README.rst) that adds support for
 server-side sessions to your application.
 
 Based on [flask-session](https://pypi.org/project/Flask-Session/).
 
 ## Quick start
 
-Quart-Session can be installed via pipenv or
+Quart-Session can be installed via pipenv or pip,
-pip,
 
 ```bash
 $ pipenv install quart-session
 $ pip install quart-session
 ```
 
-and requires Python 3.7.0 or higher. A fairly minimal Quart-Session example is,
+and requires Python 3.7.0 or higher. A minimal Quart-Session example is:
 
 ```python3
 from quart import Quart, session
@@ -30,7 +29,11 @@ Session(app)
 @app.route('/')
 async def hello():
     session["foo"] = "bar"
-    return 'hello'
+    return "session key 'foo' set"
+
+@app.route('/foo')
+async def foo():
+    return session.get("foo", "session key 'foo' not found")
 
 app.run()
 ```
@@ -38,9 +41,9 @@ app.run()
 ## Features
 
 
-### Redis support
+### Redis
 
-via `aioredis`.
+via `redis>=4.4.0`.
 
 ```python3
 app = Quart(__name__)
@@ -48,8 +51,16 @@ app.config['SESSION_TYPE'] = 'redis'
 Session(app)
 ```
 
-If you already have a `aioredis.Client` instance and you'd like to share
+By default, Quart-session connects to Redis at `127.0.0.1:6379`. If you 
-it with the session interface,
+have a different location, use `SESSION_URI`
+
+```python3
+app = Quart(__name__)
+app.config['SESSION_TYPE'] = 'redis'
+app.config['SESSION_URI'] = 'redis://:password@localhost:6379'
+```
+
+Alternatively, for extra control, you may provide your own `aioredis.Client` instance altogether.
 
 ```python3
 app = Quart(__name__)
@@ -57,15 +68,17 @@ app.config['SESSION_TYPE'] = 'redis'
 
 @app.before_serving
 async def setup():
-    cache = await aioredis.create_redis_pool(...)
+    cache = await aioredis.Redis(
+        host="foobar.com",
+        port=6379,
+        password="foobar"
+    )
+    
     app.config['SESSION_REDIS'] = cache
     Session(app)
 ```
 
-By default, Quart-session creates a single connection to Redis, while
+#### Trio
-the example above sets up a connection pool.
-
-#### Trio support
 
 Quart-Session comes with [an (experimental) Redis client](quart_session/redis_trio) for use with the [Trio](https://trio.readthedocs.io/en/stable/) eventloop.
 
@@ -78,7 +91,7 @@ app.config['SESSION_TYPE'] = 'redis'
 Session(app)
 ```
 
-### Memcached support
+### Memcached
 
 via `aiomcache`.
 
@@ -88,11 +101,23 @@ app.config['SESSION_TYPE'] = 'memcached'
 Session(app)
 ```
 
+### MongoDB
+
+via `motor`.
+
+```python3
+app = Quart(__name__)
+app.config['SESSION_TYPE'] = 'mongodb'
+app.config['SESSION_MONGODB_URI'] = 'mongodb://localhost:27017/my_database'
+app.config['SESSION_MONGODB_COLLECTION'] = 'sessions'
+Session(app)
+```
+
 ### JSON serializer
 
 [flask-session](https://pypi.org/project/Flask-Session/) uses `pickle`
-for session data, Quart-Session opts for a JSON serializer capable of
+for session data while Quart-Session uses [a JSON serializer](https://gitlab.com/pgjones/quart/blob/37e249b9b146824a8668eaa1daa12392aeb00256/src/quart/json/tag.py#L141)
-(de)serializing the usual JSON types, as well as: `Tuple`, `Bytes`,
+capable of serializing the usual JSON types, as well as: `Tuple`, `Bytes`,
 `Markup`, `UUID`, and `DateTime`.
 
 JSON as session data allows for greater interoperability with other
@@ -114,52 +139,44 @@ except ImportError:
 app.session_interface.serialize = pickle
 ```
 
-### Session control
+### Back-end usage
 
-By default, [flask-session](https://pypi.org/project/Flask-Session/) sets a
+At any point you may interface with the session back-end directly:
-session for each incoming request, including static files. From experience,
-this approach can put unneeded load on underlying session infrastructure,
-especially in high-traffic environments.
-
-Quart-Session offers control over the session creation. For example, often you'll only need to create a session when
-a user successfully logs in.
-
-To enable this behaviour, set `SESSION_EXPLICIT` to `True`.
 
 ```python3
-app = Quart(__name__)
+from quart_session.sessions import SessionInterface
-app.config['SESSION_TYPE'] = 'redis'
-app.config['SESSION_EXPLICIT'] = True
-Session(app)
 
-@app.route('/')
+@app.route("/")
-async def root():
+async def hello():
-    if session.get('authenticated'):
+    cache: SessionInterface = app.session_interface
-        return "Welcome back!"
+    await cache.set("random_key", "val", expiry=3600)
-    return "Welcome anonymous!"
+    data = await cache.get("random_key")
-
-@app.route('/login')
-async def login():
-    session["authenticated"] = True
-    session.dirty()  # mark session for saving
-    return 'Logged in!'
-
-app.run()
 ```
 
-To re-gain the old behaviour of always emitting a `Set-Cookie` header on static file serves,
+The interface will have the `get`, `set`, and `delete` methods available (regardless of
-set `SESSION_STATIC_FILE` to `True`.
+back-end - similar to how [aiocache](https://github.com/argaen/aiocache) works).
+
+### Performance
+
+[flask-session](https://pypi.org/project/Flask-Session/) sets a
+session for each incoming request, including static files. From experience,
+this often puts unneeded load on underlying session infrastructure,
+especially in high-traffic environments.
+
+Quart-Session only contacts the back-end when a session changed (or created). In addition,
+static file serves never emit a `Set-Cookie` header. If you'd like to enable
+this though, set `SESSION_STATIC_FILE` to `True`.
 
 
 ### Session pinning
 
 Associates an user's session to his/her IP address. This mitigates cookie stealing via XSS etc, and is handy
-for paranoid web applications.
+for web applications that require extra security.
 
 ```python3
 app = Quart(__name__)
 app.config['SESSION_TYPE'] = 'redis'
-app.config['SESSION_HIJACK_PROTECTION'] = True
+app.config['SESSION_PROTECTION'] = True
 Session(app)
 ```
 
@@ -167,32 +184,25 @@ Session reuse from a different IP will now result in the creation of a new sessi
 
 **Important:** If your application is behind a reverse proxy, it most
 likely provides the `X-Forwarded-For` header which you **must** make use of
-by explicitly setting `SESSION_HIJACK_REVERSE_PROXY` to `True`.
+by explicitly setting `SESSION_REVERSE_PROXY` to `True`.
 
 ## Future development
 
-The following session interfaces would be nice to have:
-
-- `MongoDBSessionInterface`
 - `FileSystemSessionInterface`
 - `GoogleCloudDatastoreSessionInterface`
+- Pytest
 
-Other to-do's:
+## Flask-Session
-
-- Unit testing
-- Documentation (Sphinx)
-
-## Migrating from Flask
 
 This library works very similarly to [flask-session](https://pypi.org/project/Flask-Session/).
-The `quart_session.sessions` APIs are not 100% the same, but unless you
+The changes are specified below:
-are embedded in Flask-Session's internals, a migration should be fairly
-straightforward. The distinct changes are specified below:
 
-- Quart-Session does not `Set-Cookie` on (static) files by default.
+- Quart-Session does not emit a `Set-Cookie` on every request.
-- Quart-Session might not have all the back-end interfaces implemented (yet), such as "filesystem".
+- Quart-Session does not emit a `Set-Cookie` on static file serves.
 - Quart-Session uses a different serializer: `quart.json.tag.TaggedJSONSerializer` instead of `pickle`.
 - Quart-Session disallows the client to supply their own made up `sid` cookie value.
+- Quart-Session can do session protection.
+- Quart-Session might not have all the back-end interfaces implemented (yet), such as "filesystem".
 
 ## Help
 

examples/hello.py

@@ -5,7 +5,7 @@
 
     Quart-Session demo.
 
-    :copyright: (c) 2020 by dsc.
+    :copyright: (c) 2020 by Kroket Ltd.
     :license: BSD, see LICENSE for more details.
 """
 from quart import Quart, session
@@ -21,13 +21,13 @@ Session(app)
 
 
 @app.route('/set/')
-def set():
+async def set():
     session['key'] = 'value'
     return 'ok'
 
 
 @app.route('/get/')
-def get():
+async def get():
     return session.get('key', 'not set')
 
 

quart_session/__init__.py

@@ -6,18 +6,23 @@
     Adds server session support to your application.
 
     :copyright: (c) 2014 by Shipeng Feng.
-    :copyright: (c) 2020 by dsc.
+    :copyright: (c) 2020 by Kroket Ltd.
     :license: BSD, see LICENSE for more details.
 """
 
-__version__ = '0.0.1'
+__version__ = '2.1.0'
 
 import os
-from typing import Optional
 
 from quart import Quart
 
-from .sessions import RedisSessionInterface, RedisTrioSessionInterface, MemcachedSessionInterface, NullSessionInterface
+from .sessions import (
+    RedisSessionInterface,
+    RedisTrioSessionInterface,
+    MemcachedSessionInterface,
+    MongoDBSessionInterface,
+    NullSessionInterface
+)
 
 
 class Session(object):
@@ -79,8 +84,8 @@ class Session(object):
         config.setdefault('SESSION_PERMANENT', True)
         config.setdefault('SESSION_USE_SIGNER', False)
         config.setdefault('SESSION_KEY_PREFIX', 'session:')
-        config.setdefault('SESSION_HIJACK_PROTECTION', False)
+        config.setdefault('SESSION_PROTECTION', False)
-        config.setdefault('SESSION_HIJACK_REVERSE_PROXY', False)
+        config.setdefault('SESSION_REVERSE_PROXY', False)
         config.setdefault('SESSION_STATIC_FILE', False)
         config.setdefault('SESSION_EXPLICIT', False)
         config.setdefault('SESSION_REDIS', None)
@@ -91,6 +96,18 @@ class Session(object):
         config.setdefault('SESSION_FILE_MODE', 384)
         config = {k: v for k, v in config.items() if k.startswith('SESSION_')}
 
+        if isinstance(config.get("SESSION_HIJACK_PROTECTION"), bool):
+            app.logger.warning("Deprecation: `SESSION_HIJACK_PROTECTION` "
+                               "has been renamed to `SESSION_PROTECTION`")
+
+        if isinstance(config.get("SESSION_HIJACK_REVERSE_PROXY"), str):
+            app.logger.warning("Deprecation: `SESSION_HIJACK_REVERSE_PROXY` "
+                               "has been renamed to `SESSION_REVERSE_PROXY`")
+
+        backend_warning = f"Please specify a session backend. " \
+                          f"Available interfaces: redis, redis+trio, " \
+                          f"memcached, null. e.g: app.config['SESSION_TYPE'] = 'redis'"
+
         if config['SESSION_TYPE'] == 'redis':
             options = {
                 "redis": config['SESSION_REDIS'],
@@ -122,7 +139,25 @@ class Session(object):
                 use_signer=config['SESSION_USE_SIGNER'],
                 permanent=config['SESSION_PERMANENT'],
                 **config)
+        elif config['SESSION_TYPE'] == 'mongodb':
+            session_interface = MongoDBSessionInterface(
+                mongodb_uri=config['SESSION_MONGODB_URI'],
+                collection=config['SESSION_MONGODB_COLLECTION'],
+                client_kwargs=config.get('SESSION_MONGODB_CLIENT_KWARGS', {}),
+                set_callback=config.get('SESSION_MONGODB_SET_CALLBACK'),
+                key_prefix=config['SESSION_KEY_PREFIX'],
+                use_signer=config['SESSION_USE_SIGNER'],
+                permanent=config['SESSION_PERMANENT'],
+                **config)
+        elif config['SESSION_TYPE'] == 'null':
+            app.logger.warning(f"{backend_warning}. Currently using: null")
+            session_interface = NullSessionInterface(
+                key_prefix=config['SESSION_KEY_PREFIX'],
+                use_signer=config['SESSION_USE_SIGNER'],
+                permanent=config['SESSION_PERMANENT'],
+                **config)
         else:
-            session_interface = NullSessionInterface()
+            raise NotImplementedError(f"No such session interface "
+                                      f"\"{config['SESSION_TYPE']}\". {backend_warning}")
 
         return session_interface

quart_session/sessions.py

@@ -6,15 +6,16 @@
     Server-side Sessions and SessionInterfaces.
 
     :copyright: (c) 2014 by Shipeng Feng.
-    :copyright: (c) 2020 by dsc.
+    :copyright: (c) 2020 by Kroket Ltd.
     :license: BSD, see LICENSE for more details.
 """
 import time
-from typing import Any, Callable, Optional, TYPE_CHECKING
+from typing import Optional
-from uuid import uuid4
+from uuid import uuid4, UUID
 import asyncio
+import functools
 
-from quart import Quart
+from quart import Quart, current_app
 from quart.wrappers import BaseRequestWebsocket, Response
 from quart.wrappers.response import FileBody
 from quart.sessions import SessionInterface as QuartSessionInterface, SecureCookieSession
@@ -36,7 +37,12 @@ class ServerSideSession(SecureCookieSession):
             self.permanent = permanent
         if addr:
             self.addr = addr
-        self._dirty = False
+        self.modified = False
+
+    def dirty(self):
+        current_app.logger.warning("Deprecation: `dirty()` has "
+                                   "been made obsolete. Will be "
+                                   "removed soon^tm.")
 
     @property
     def addr(self) -> str:
@@ -46,28 +52,6 @@ class ServerSideSession(SecureCookieSession):
     def addr(self, value: str) -> None:
         self['_addr'] = value  # type: ignore
 
-    def dirty(self):
-        """Marks the session to be written/saved.
-
-        .. note::
-
-            This feature only works if you have set ``SESSION_EXPLICIT``
-            to ``True``, at which point you'll have to explicitly mark
-            each session before they'll get processed and saved.
-
-        Example::
-
-            app.config['SESSION_EXPLICIT'] = True
-            Session(app)
-
-            @app.route('/')
-            def root():
-                session['foo'] = 'bar'
-                session.dirty()
-                return "Hello World!"
-        """
-        self._dirty = True
-
 
 class RedisSession(ServerSideSession):
     pass
@@ -77,6 +61,10 @@ class MemcachedSession(ServerSideSession):
     pass
 
 
+class MongoDBSession(ServerSideSession):
+    pass
+
+
 class NullSession(ServerSideSession):
     pass
 
@@ -104,9 +92,17 @@ class SessionInterface(QuartSessionInterface):
             app: Quart,
             request: BaseRequestWebsocket
     ) -> Optional[SecureCookieSession]:
-        sid = request.cookies.get(app.session_cookie_name)
+        cname = app.config.get('SESSION_COOKIE_NAME', 'session')
-        addr = request.headers.get('X-Forwarded-For', request.remote_addr) if \
+        sid = request.cookies.get(cname)
-            self._config['SESSION_HIJACK_PROTECTION'] else None
+        if self._config['SESSION_REVERSE_PROXY'] is True:
+            # and no, you cannot define your own incoming
+            # header, stick to standards :-)
+            addr = request.headers.get('X-Forwarded-For')
+            if not addr:
+                app.logger.error("Could not grab IP from reverse proxy, "
+                                 "session protection is DISABLED!")
+        else:
+            addr = request.remote_addr
         options = {"sid": sid, "permanent": self.permanent, "addr": addr}
 
         if not sid:
@@ -125,27 +121,27 @@ class SessionInterface(QuartSessionInterface):
                 options['sid'] = self._generate_sid()
                 return self.session_class(**options)
 
-        val = await self._backend_get(app, self.key_prefix + sid)
+        val = await self.get(key=self.key_prefix + sid, app=app)
         if val is None:
             options['sid'] = self._generate_sid()
             return self.session_class(**options)
 
+        if self.serializer is None:
+            data = val
+        else:
             try:
                 data = self.serializer.loads(val)
             except:
                 app.logger.warning(f"Failed to deserialize session "
                                    f"data for sid: {sid}. Generating new sid.")
+                app.logger.debug(f"data: {val}")
                 options['sid'] = self._generate_sid()
                 return self.session_class(**options)
 
-        prevent_hijack = self._config['SESSION_HIJACK_PROTECTION']
+        protection = self._config['SESSION_PROTECTION']
-        if prevent_hijack is True:
+        if protection is True and addr is not None and \
-            if self._config['SESSION_HIJACK_REVERSE_PROXY'] is True:
+                data.get('_addr', addr) != addr:
-                addr = request.headers.get('X-Forwarded-For', request.remote_addr)
+            await self.delete(key=self.key_prefix + sid, app=app)
-            else:
-                addr = request.remote_addr
-            if data.get('_addr', addr) != addr:
-                await self._backend_delete(app, self.key_prefix + sid)
             options['sid'] = self._generate_sid()
             return self.session_class(**options)
 
@@ -158,9 +154,8 @@ class SessionInterface(QuartSessionInterface):
         session: SecureCookieSession,
         response: Response
     ) -> None:
-        # prevent set-cookie
+        # prevent set-cookie on unmodified session objects
-        if self._config['SESSION_EXPLICIT'] is True and \
+        if not session.modified:
-                not session._dirty:
             return
 
         # prevent set-cookie on (static) file responses
@@ -168,39 +163,47 @@ class SessionInterface(QuartSessionInterface):
         if self._config['SESSION_STATIC_FILE'] is False and \
                 isinstance(response.response, FileBody):
             return
+
+        cname = app.config.get('SESSION_COOKIE_NAME', 'session')
         session_key = self.key_prefix + session.sid
         domain = self.get_cookie_domain(app)
         path = self.get_cookie_path(app)
         if not session:
             if session.modified:
-                await self._backend_delete(app=app, key=session_key)
+                await self.delete(key=session_key, app=app)
-                response.delete_cookie(app.session_cookie_name,
+                response.delete_cookie(cname,
                                        domain=domain, path=path)
             return
         httponly = self.get_cookie_httponly(app)
+        samesite = self.get_cookie_samesite(app)
         secure = self.get_cookie_secure(app)
         expires = self.get_expiration_time(app, session)
 
+        if self.serializer is None:
+            val = dict(session)
+        else:
             val = self.serializer.dumps(dict(session))
-        await self._backend_set(app=app, key=session_key, value=val)
+
+        await self.set(key=session_key, value=val, app=app)
         if self.use_signer:
             session_id = self._get_signer(app).sign(want_bytes(session.sid))
         else:
             session_id = session.sid
-        response.set_cookie(app.session_cookie_name, session_id,
+        response.set_cookie(cname, session_id,
                             expires=expires, httponly=httponly,
-                            domain=domain, path=path, secure=secure)
+                            domain=domain, path=path, secure=secure, samesite=samesite)
 
     async def create(self, app: Quart):
         raise NotImplementedError()
 
-    async def _backend_get(self, app: Quart, key: str):
+    async def get(self, key: str, app: Quart = None):
         raise NotImplementedError()
 
-    async def _backend_set(self, app: Quart, key: str, value):
+    async def set(self, key: str, value, expiry: int = None,
+                  app: Quart = None):
         raise NotImplementedError()
 
-    async def _backend_delete(self, app: Quart, key: str):
+    async def delete(self, key: str, app: Quart = None):
         raise NotImplementedError()
 
     def _generate_sid(self) -> str:
@@ -227,7 +230,7 @@ class RedisSessionInterface(SessionInterface):
 
     def __init__(self, redis, **kwargs):
         super(RedisSessionInterface, self).__init__(**kwargs)
-        self.redis = redis
+        self.backend = redis
 
     async def create(self, app: Quart) -> None:
         """Creates ``aioredis.Redis`` instance.
@@ -235,22 +238,29 @@ class RedisSessionInterface(SessionInterface):
         .. note::
 
             Creates a single Redis connection, you might prefer
-            pooling instead (see ``aioredis.Redis.create_redis_pool``)
+            pooling instead (see the `aioredis` documentation
+            for connection pool examples).
         """
-        if self.redis is None:
+        if self.backend is None:
-            import aioredis
+            from redis import asyncio as aioredis
-            self.redis = await aioredis.create_redis("redis://localhost")
+            uri = self._config.get('SESSION_URI', 'redis://localhost')
+            self.backend = await aioredis.from_url(
+                uri, encoding="utf-8", decode_responses=True
+            )
 
-    async def _backend_get(self, app: Quart, key: str):
+    async def get(self, key: str, app: Quart = None):
-        return await self.redis.get(key)
+        return await self.backend.get(key)
 
-    async def _backend_set(self, app: Quart, key: str, value):
+    async def set(self, key: str, value, expiry: int = None,
-        return await self.redis.setex(
+                  app: Quart = None):
-            key=key, value=value,
+        if app and not expiry:
-            seconds=total_seconds(app.permanent_session_lifetime))
+            expiry = total_seconds(app.permanent_session_lifetime)
+        return await self.backend.setex(
+            name=key, value=value,
+            time=expiry)
 
-    async def _backend_delete(self, app: Quart, key: str):
+    async def delete(self, key: str, app: Quart = None):
-        return await self.redis.delete(key)
+        return await self.backend.delete(key)
 
 
 class RedisTrioSessionInterface(SessionInterface):
@@ -267,7 +277,7 @@ class RedisTrioSessionInterface(SessionInterface):
 
     def __init__(self, redis, **kwargs):
         super(RedisTrioSessionInterface, self).__init__(**kwargs)
-        self.redis_trio = redis
+        self.backend = redis
 
     async def create(self, app: Quart) -> None:
         """Creates ``aioredis.Redis`` instance.
@@ -277,23 +287,26 @@ class RedisTrioSessionInterface(SessionInterface):
             Creates a single Redis connection. Pooling not
             supported yet for ``RedisTrio``.
         """
-        if self.redis_trio is None:
+        if self.backend is None:
             from quart_session.redis_trio import RedisTrio
-            self.redis_trio = RedisTrio()
+            self.backend = RedisTrio()
-            await self.redis_trio.connect()
+            await self.backend.connect()
 
-    async def _backend_get(self, app: Quart, key: str):
+    async def get(self, key: str, app: Quart = None):
-        data = await self.redis_trio.get(key)
+        data = await self.backend.get(key)
         if data:
             return data.decode()
 
-    async def _backend_set(self, app: Quart, key: str, value):
+    async def set(self, key: str, value, expiry: int = None,
-        return await self.redis_trio.setex(
+                  app: Quart = None):
+        if app and not expiry:
+            expiry = total_seconds(app.permanent_session_lifetime)
+        return await self.backend.setex(
             key=key, value=value,
-            seconds=total_seconds(app.permanent_session_lifetime))
+            seconds=expiry)
 
-    async def _backend_delete(self, app: Quart, key: str):
+    async def delete(self, key: str, app: Quart = None):
-        return await self.redis_trio.delete(key)
+        return await self.backend.delete(key)
 
 
 class MemcachedSessionInterface(SessionInterface):
@@ -314,14 +327,14 @@ class MemcachedSessionInterface(SessionInterface):
         super(MemcachedSessionInterface, self).__init__(
             key_prefix=key_prefix, use_signer=use_signer,
             permanent=permanent, **kwargs)
-        self.memcached = memcached
+        self.backend = memcached
 
-    @asyncio.coroutine
+    async def create(self, app: Quart) -> None:
-    def create(self, app: Quart) -> None:
+        if self.backend is None:
-        if self.memcached is None:
             import aiomcache
-            loop = asyncio.get_running_loop()
+            # self.backend = aiomcache.Client("127.0.0.1", 11211)
-            self.memcached = aiomcache.Client("127.0.0.1", 11211, loop=loop)
+            self.backend = aiomcache.Client(self._config.get('SESSION_MEMCACHED_HOST', '127.0.0.1'),
+                                            self._config.get('SESSION_MEMCACHED_PORT', 11211))
 
     def _get_memcache_timeout(self, timeout):
         """
@@ -338,26 +351,120 @@ class MemcachedSessionInterface(SessionInterface):
             timeout += int(time.time())
         return timeout
 
-    async def _backend_get(self, app: Quart, key: str):
+    async def get(self, key: str, app: Quart = None):
         key = key.encode()
-        return await self.memcached.get(key)
+        return await self.backend.get(key)
+
+    async def set(self, key: str, value, expiry: int = None,
+                  app: Quart = None):
+        if app and not expiry:
+            expiry = self._get_memcache_timeout(
+                total_seconds(app.permanent_session_lifetime))
 
-    async def _backend_set(self, app: Quart, key: str, value):
         key = key.encode()
         value = value.encode()
-        expiry = self._get_memcache_timeout(total_seconds(
+        return await self.backend.set(key=key, value=value,
-            app.permanent_session_lifetime))
-        return await self.memcached.set(key=key, value=value,
                                       exptime=expiry)
 
-    async def _backend_delete(self, app: Quart, key: str):
+    async def delete(self, key: str, app: Quart = None):
         key = key.encode()
-        return await self.memcached.delete(key)
+        return await self.backend.delete(key)
+
+
+def _convert_key_to_uuid(func):
+    """
+        convert the session UUID to a UUID object for mongodb
+
+        example:
+            "session:b8ebbf02-cc7a-4b0b-824f-22a984c8c0b8" ->
+            UUID("b8ebbf02-cc7a-4b0b-824f-22a984c8c0b8")
+
+    """
+
+    @functools.wraps(func)
+    async def wrapper(*args, **kwargs):
+        if 'key' in kwargs:
+            key = kwargs['key']
+            try:
+                if key.startswith('session:'):
+                    _, _uuid = tuple(key.split(':'))
+                    kwargs['key'] = UUID(_uuid)
+            except Exception as e:
+                current_app.logger.warning(
+                    f"session could not be converted to a uuid object: {key}"
+                )
+        return await func(*args, **kwargs)
+    return wrapper
+
+
+class MongoDBSessionInterface(SessionInterface):
+    # mongodb does not a serializer as many object types are properly handled by the connector
+    serializer = None
+    session_class = MongoDBSession
+
+    def __init__(self, mongodb_uri, collection, client_kwargs={}, set_callback=None, **kwargs):
+        from motor.motor_asyncio import AsyncIOMotorClient
+
+        super().__init__(**kwargs)
+        self.mongodb_uri = mongodb_uri
+        self.client_kwargs = client_kwargs
+        self.set_callback = set_callback
+        self._collection = collection
+        self._client = AsyncIOMotorClient(self.mongodb_uri, uuidRepresentation='standard', **self.client_kwargs)
+        self._database = self._client.get_database()
+
+    async def create(self, app: Quart) -> None:
+        pass
+
+    @_convert_key_to_uuid
+    async def get(self, key, app):
+        value = await self.collection.find_one({'_id': key}, {'data': True})
+        if value:
+            return value.get('data', {})
+        else:
+            return None
+
+    @_convert_key_to_uuid
+    async def set(self, key, value, expiry=None, app=None):
+        doc = {
+            'data': value,
+        }
+
+        # allows the document to be modified prior upsert
+        if callable(self.set_callback):
+            self.set_callback(doc)
+
+        await self.collection.update_one({
+                '_id': key
+            }, {
+                '$set': doc
+            },
+            upsert=True
+        )
+
+    @property
+    def collection(self):
+        return self._database.get_collection(self._collection)
 
 
 class NullSessionInterface(SessionInterface):
-    """Used to open a :class:`quart.sessions.NullSession` instance.
+    """This class does absolutely nothing"""
-    """
+    session_class = NullSession
 
-    def open_session(self, app: Quart, request: BaseRequestWebsocket):
+    def __init__(
-        return None
+            self, key_prefix: str, use_signer: bool = False,
+            permanent: bool = True, **kwargs):
+        super(NullSessionInterface, self).__init__(
+            key_prefix=key_prefix, use_signer=use_signer,
+            permanent=permanent, **kwargs)
+        self.backend = None
+
+    async def create(self, app: Quart) -> None:
+        pass
+
+    async def get(self, key: str, app: Quart = None) -> None:
+        pass
+
+    async def set(self, key: str, value, expiry: int = None,
+                  app: Quart = None) -> None:
+        pass

setup.py

@@ -9,7 +9,7 @@ Links
 `````
 
 * `Github
-  <https://github.com/xmrdsc/quart-session>`_
+  <https://github.com/kroketio/quart-session>`_
 
 """
 from setuptools import setup
@@ -24,11 +24,11 @@ INSTALL_REQUIRES = [
 
 setup(
     name='Quart-Session',
-    version='0.0.1',
+    version='2.1.0',
-    url='https://github.com/xmrdsc/quart-session',
+    url='https://github.com/kroketio/quart-session',
     license='BSD',
-    author='dsc',
+    author='Kroket Ltd.',
-    author_email='dsc@xmr.pm',
+    author_email='code@kroket.io',
     description='Adds server-side session support to your Quart application',
     long_description=long_description,
     long_description_content_type='text/markdown',
@@ -38,7 +38,11 @@ setup(
     platforms='any',
     install_requires=INSTALL_REQUIRES,
     tests_require=INSTALL_REQUIRES + ["asynctest", "hypothesis", "pytest", "pytest-asyncio"],
-    extras_require={"dotenv": ["python-dotenv"]},
+    extras_require={
+        "dotenv": ["python-dotenv"],
+        "mongodb": ["motor>=2.5.1"],
+        "redis": ["redis>=4.4.0"]
+    },
     classifiers=[
         'Environment :: Web Environment',
         'Intended Audience :: Developers',