From cdecd170a0627d845521425a551b6bbf0f032c9c Mon Sep 17 00:00:00 2001
From: b3yond <b3yond@riseup.net>
Date: Sun, 27 Jan 2019 15:56:19 +0100
Subject: [PATCH] give CSRF token to template engine

---
 user.py | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/user.py b/user.py
index 43d9050..4ec7fc8 100644
--- a/user.py
+++ b/user.py
@@ -1,5 +1,5 @@
 from config import config
-from bottle import response
+from bottle import response, request
 from db import db
 import jwt
 from mastodon import Mastodon
@@ -11,10 +11,15 @@ class User(object):
     def __init__(self, uid):
         # set cookie
         response.set_cookie('uid', uid, secret=db.get_secret(), path='/')
-        allchar = "1234567890"
-        response.set_cookie('csrf', "".join(choice(allchar) for x in [32]),
-                            db.get_secret(), path='/')
         self.uid = uid
+        response.set_cookie('csrf', self.get_csrf(), db.get_secret(), path='/')
+
+    def get_csrf(self):
+        csrf_token = request.get_cookie('csrf')
+        if not csrf_token:
+            allchar = "1234567890"
+            csrf_token = "".join(choice(allchar) for x in [32])
+        return csrf_token
 
     def check_password(self, password):
         db.execute("SELECT passhash FROM user WHERE id=?;", (self.uid,))
@@ -239,6 +244,7 @@ schlitz
         # - mail_md
         # - goodlist
         # - blocklist
+        # - csrf
         # - logged in with twitter?
         # - logged in with mastodon?
         # - enabled?
@@ -248,7 +254,8 @@ schlitz
                     mail_md=citydict['mail_md'],
                     triggerwords=self.get_trigger_words(),
                     badwords=self.get_badwords(),
-                    enabled=self.enabled)
+                    enabled=self.enabled,
+                    csrf=self.get_csrf())
 
     def save_request_token(self, token):
         db.execute("""INSERT INTO