From ec68f17b320e562f161e3edfa837696fafab7c43 Mon Sep 17 00:00:00 2001
From: b3yond <b3yond@riseup.net>
Date: Sun, 27 Jan 2019 14:52:42 +0100
Subject: [PATCH] write and read CSRF cookie

---
 frontend.py           | 14 +++++++++++---
 session.py            |  5 ++++-
 template/settings.tpl |  1 +
 user.py               |  4 ++++
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/frontend.py b/frontend.py
index 452769f..c6076ae 100755
--- a/frontend.py
+++ b/frontend.py
@@ -144,6 +144,7 @@ def settings(user):
 
 
 @post('/settings/markdown')
+#csrf
 @view('template/settings.tpl')
 def update_markdown(user):
     user.set_markdown(request.forms['markdown'])
@@ -151,6 +152,7 @@ def update_markdown(user):
 
 
 @post('/settings/mail_md')
+#csrf
 @view('template/settings.tpl')
 def update_mail_md(user):
     user.set_mail_md(request.forms['mail_md'])
@@ -158,6 +160,7 @@ def update_mail_md(user):
 
 
 @post('/settings/goodlist')
+#csrf
 @view('template/settings.tpl')
 def update_trigger_patterns(user):
     user.set_trigger_words(request.forms['goodlist'])
@@ -165,6 +168,7 @@ def update_trigger_patterns(user):
 
 
 @post('/settings/blocklist')
+#csrf
 @view('template/settings.tpl')
 def update_badwords(user):
     user.set_badwords(request.forms['blocklist'])
@@ -172,15 +176,17 @@ def update_badwords(user):
 
 
 @post('/settings/telegram')
+#csrf
 def register_telegram(user):
     apikey = request.forms['apikey']
     user.update_telegram_key(apikey)
     return city_page(user.get_city(), info="Thanks for registering Telegram!")
 
 
-@get('/api/state')
-def api_enable(user):
-    return user.state()
+# unused afaik
+#@get('/api/state')
+#def api_enable(user):
+#    return user.state()
 
 
 @get('/static/<filename:path>')
@@ -197,6 +203,7 @@ def guides(filename):
 def logout():
     # clear auth cookie
     response.set_cookie('uid', '', expires=0, path="/")
+    response.set_cookie('csrf', '', expires=0, path="/")
     # :todo show info "Logout successful."
     redirect('/')
 
@@ -240,6 +247,7 @@ def twitter_callback(user):
 
 
 @post('/login/mastodon')
+#csrf
 def login_mastodon(user):
     """
     Mastodon OAuth authentication process.
diff --git a/session.py b/session.py
index b361604..b1a0b62 100644
--- a/session.py
+++ b/session.py
@@ -1,4 +1,4 @@
-from bottle import redirect, request
+from bottle import redirect, request, abort, response
 from db import db
 from functools import wraps
 from inspect import Signature
@@ -21,6 +21,9 @@ class SessionPlugin(object):
                 if uid is None:
                     return redirect(self.loginpage)
                 kwargs[self.keyword] = User(uid)
+                if request.method == 'POST':
+                    if request.forms['csrf'] != request.get_cookie('csrf'):
+                        abort(400)
                 return callback(*args, **kwargs)
 
             return wrapper
diff --git a/template/settings.tpl b/template/settings.tpl
index dae30ce..0971d1b 100644
--- a/template/settings.tpl
+++ b/template/settings.tpl
@@ -106,6 +106,7 @@
     </p>
     <form action="/settings/markdown" method="post">
         <textarea id="markdown" rows="20" cols="70" name="markdown" wrap="physical">{{markdown}}</textarea>
+        <input name='csrf' value='asdf' type='hidden' />
         <input name='confirm' value='Save' type='submit'/>
     </form>
 </div>
diff --git a/user.py b/user.py
index 92eb463..43d9050 100644
--- a/user.py
+++ b/user.py
@@ -4,12 +4,16 @@ from db import db
 import jwt
 from mastodon import Mastodon
 from pylibscrypt import scrypt_mcf, scrypt_mcf_check
+from random import choice
 
 
 class User(object):
     def __init__(self, uid):
         # set cookie
         response.set_cookie('uid', uid, secret=db.get_secret(), path='/')
+        allchar = "1234567890"
+        response.set_cookie('csrf', "".join(choice(allchar) for x in [32]),
+                            db.get_secret(), path='/')
         self.uid = uid
 
     def check_password(self, password):