write and read CSRF cookie

2019-01-27 14:52:42 +01:00 · 2019-01-27 14:52:42 +01:00 · ddefc2aafa
parent 60e1d8ec30
commit ddefc2aafa
3 changed files with 21 additions and 1 deletions
--- a/frontend.py
+++ b/frontend.py
@ -144,6 +144,7 @@ def settings(user):


@post('/settings/markdown')
+#csrf
@view('template/settings.tpl')
 def update_markdown(user):
    user.set_markdown(request.forms['markdown'])
@ -151,6 +152,7 @@ def update_markdown(user):


@post('/settings/mail_md')
+#csrf
@view('template/settings.tpl')
 def update_mail_md(user):
    user.set_mail_md(request.forms['mail_md'])
@ -158,6 +160,7 @@ def update_mail_md(user):


@post('/settings/goodlist')
+#csrf
@view('template/settings.tpl')
 def update_trigger_patterns(user):
    user.set_trigger_words(request.forms['goodlist'])
@ -165,6 +168,7 @@ def update_trigger_patterns(user):


@post('/settings/blocklist')
+#csrf
@view('template/settings.tpl')
 def update_badwords(user):
    user.set_badwords(request.forms['blocklist'])
@ -172,6 +176,7 @@ def update_badwords(user):


@post('/settings/telegram')
+#csrf
 def register_telegram(user):
    apikey = request.forms['apikey']
    user.update_telegram_key(apikey)
@ -179,6 +184,7 @@ def register_telegram(user):


@get('/api/state')
+#csrf
 def api_enable(user):
    return user.state()

@ -198,6 +204,8 @@ def logout():
    # clear auth cookie
    response.set_cookie('uid', '', expires=0, path="/")
    # :todo show info "Logout successful."
+    allchar = "1234567890"
+    response.set_cookie('csrf', '', expires=0, path="/")
    redirect('/')


@ -240,6 +248,7 @@ def twitter_callback(user):


@post('/login/mastodon')
+#csrf
 def login_mastodon(user):
    """
    Mastodon OAuth authentication process.
--- a/session.py
+++ b/session.py
@ -1,4 +1,4 @@
-from bottle import redirect, request
+from bottle import redirect, request, abort, response
 from db import db
 from functools import wraps
 from inspect import Signature
@ -21,6 +21,13 @@ class SessionPlugin(object):
                if uid is None:
                    return redirect(self.loginpage)
                kwargs[self.keyword] = User(uid)
+                csrf = None  # initialize variable
+                if request.method == 'POST':
+                    csrf = request.form.get('csrf')
+                elif request.method == 'GET':
+                    csrf = request.args.get('csrf')
+                if csrf != request.get_cookie('csrf'):
+                        abort(400)
                return callback(*args, **kwargs)

            return wrapper
--- a/user.py
+++ b/user.py
@ -4,12 +4,16 @@ from db import db
 import jwt
 from mastodon import Mastodon
 from pylibscrypt import scrypt_mcf, scrypt_mcf_check
+from random import choice


 class User(object):
    def __init__(self, uid):
        # set cookie
        response.set_cookie('uid', uid, secret=db.get_secret(), path='/')
+        allchar = "1234567890"
+        response.set_cookie('csrf', "".join(choice(allchar) for x in [32]),
+                            db.get_secret(), path='/')
        self.uid = uid

    def check_password(self, password):