b3yond/ticketfrei
1
0
Fork 0
Code Issues 28 Pull requests Releases Wiki Activity

write and read CSRF cookie

Browse source
This commit is contained in:
b3yond 2019-01-27 14:52:42 +01:00
parent 60e1d8ec30
commit ec68f17b32
4 changed files with 20 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
frontend.py
View file

@ -144,6 +144,7 @@ def settings(user):
@post('/settings/markdown') @post('/settings/markdown')
#csrf
@view('template/settings.tpl') @view('template/settings.tpl')
def update_markdown(user): def update_markdown(user):
user.set_markdown(request.forms['markdown']) user.set_markdown(request.forms['markdown'])
@ -151,6 +152,7 @@ def update_markdown(user):
@post('/settings/mail_md') @post('/settings/mail_md')
#csrf
@view('template/settings.tpl') @view('template/settings.tpl')
def update_mail_md(user): def update_mail_md(user):
user.set_mail_md(request.forms['mail_md']) user.set_mail_md(request.forms['mail_md'])
@ -158,6 +160,7 @@ def update_mail_md(user):
@post('/settings/goodlist') @post('/settings/goodlist')
#csrf
@view('template/settings.tpl') @view('template/settings.tpl')
def update_trigger_patterns(user): def update_trigger_patterns(user):
user.set_trigger_words(request.forms['goodlist']) user.set_trigger_words(request.forms['goodlist'])
@ -165,6 +168,7 @@ def update_trigger_patterns(user):
@post('/settings/blocklist') @post('/settings/blocklist')
#csrf
@view('template/settings.tpl') @view('template/settings.tpl')
def update_badwords(user): def update_badwords(user):
user.set_badwords(request.forms['blocklist']) user.set_badwords(request.forms['blocklist'])
@ -172,15 +176,17 @@ def update_badwords(user):
@post('/settings/telegram') @post('/settings/telegram')
#csrf
def register_telegram(user): def register_telegram(user):
apikey = request.forms['apikey'] apikey = request.forms['apikey']
user.update_telegram_key(apikey) user.update_telegram_key(apikey)
return city_page(user.get_city(), info="Thanks for registering Telegram!") return city_page(user.get_city(), info="Thanks for registering Telegram!")
@get('/api/state') # unused afaik
def api_enable(user): #@get('/api/state')
return user.state() #def api_enable(user):
# return user.state()
@get('/static/<filename:path>') @get('/static/<filename:path>')
@ -197,6 +203,7 @@ def guides(filename):
def logout(): def logout():
# clear auth cookie # clear auth cookie
response.set_cookie('uid', '', expires=0, path="/") response.set_cookie('uid', '', expires=0, path="/")
response.set_cookie('csrf', '', expires=0, path="/")
# :todo show info "Logout successful." # :todo show info "Logout successful."
redirect('/') redirect('/')
@ -240,6 +247,7 @@ def twitter_callback(user):
@post('/login/mastodon') @post('/login/mastodon')
#csrf
def login_mastodon(user): def login_mastodon(user):
""" """
Mastodon OAuth authentication process. Mastodon OAuth authentication process.

5
session.py
View file

@ -1,4 +1,4 @@
from bottle import redirect, request from bottle import redirect, request, abort, response
from db import db from db import db
from functools import wraps from functools import wraps
from inspect import Signature from inspect import Signature
@ -21,6 +21,9 @@ class SessionPlugin(object):
if uid is None: if uid is None:
return redirect(self.loginpage) return redirect(self.loginpage)
kwargs[self.keyword] = User(uid) kwargs[self.keyword] = User(uid)
if request.method == 'POST':
if request.forms['csrf'] != request.get_cookie('csrf'):
abort(400)
return callback(*args, **kwargs) return callback(*args, **kwargs)
return wrapper return wrapper

1
template/settings.tpl
View file

@ -106,6 +106,7 @@
</p> </p>
<form action="/settings/markdown" method="post"> <form action="/settings/markdown" method="post">
<textarea id="markdown" rows="20" cols="70" name="markdown" wrap="physical">{{markdown}}</textarea> <textarea id="markdown" rows="20" cols="70" name="markdown" wrap="physical">{{markdown}}</textarea>
<input name='csrf' value='asdf' type='hidden' />
<input name='confirm' value='Save' type='submit'/> <input name='confirm' value='Save' type='submit'/>
</form> </form>
</div> </div>

4
user.py
View file

@ -4,12 +4,16 @@ from db import db
import jwt import jwt
from mastodon import Mastodon from mastodon import Mastodon
from pylibscrypt import scrypt_mcf, scrypt_mcf_check from pylibscrypt import scrypt_mcf, scrypt_mcf_check
from random import choice
class User(object): class User(object):
def __init__(self, uid): def __init__(self, uid):
# set cookie # set cookie
response.set_cookie('uid', uid, secret=db.get_secret(), path='/') response.set_cookie('uid', uid, secret=db.get_secret(), path='/')
allchar = "1234567890"
response.set_cookie('csrf', "".join(choice(allchar) for x in [32]),
db.get_secret(), path='/')
self.uid = uid self.uid = uid
def check_password(self, password): def check_password(self, password):