hardened the token and fixed the signature

2019-01-27 16:31:59 +01:00 · 2019-01-27 16:31:59 +01:00 · e735936c7a
parent ee9b051c71
commit e735936c7a
2 changed files with 5 additions and 4 deletions
--- a/session.py
+++ b/session.py
@ -22,7 +22,8 @@ class SessionPlugin(object):
                    return redirect(self.loginpage)
                kwargs[self.keyword] = User(uid)
                if request.method == 'POST':
-                    if request.forms['csrf'] != request.get_cookie('csrf'):
+                    if request.forms['csrf'] != request.get_cookie('csrf',
+                                                        secret=db.get_secret()):
                        abort(400)
                return callback(*args, **kwargs)

--- a/user.py
+++ b/user.py
@ -15,10 +15,10 @@ class User(object):
        response.set_cookie('csrf', self.get_csrf(), db.get_secret(), path='/')

    def get_csrf(self):
-        csrf_token = request.get_cookie('csrf')
+        csrf_token = request.get_cookie('csrf', secret=db.get_secret())
        if not csrf_token:
-            allchar = "1234567890"
-            csrf_token = "".join(choice(allchar) for x in [32])
+            allchar = "0123456789"
+            csrf_token = "".join(choice(allchar) for x in range(32))
        return csrf_token

    def check_password(self, password):