hardened the token and fixed the signature

This commit is contained in:
b3yond 2019-01-27 16:31:59 +01:00
parent ee9b051c71
commit e735936c7a
2 changed files with 5 additions and 4 deletions

View file

@ -22,7 +22,8 @@ class SessionPlugin(object):
return redirect(self.loginpage) return redirect(self.loginpage)
kwargs[self.keyword] = User(uid) kwargs[self.keyword] = User(uid)
if request.method == 'POST': if request.method == 'POST':
if request.forms['csrf'] != request.get_cookie('csrf'): if request.forms['csrf'] != request.get_cookie('csrf',
secret=db.get_secret()):
abort(400) abort(400)
return callback(*args, **kwargs) return callback(*args, **kwargs)

View file

@ -15,10 +15,10 @@ class User(object):
response.set_cookie('csrf', self.get_csrf(), db.get_secret(), path='/') response.set_cookie('csrf', self.get_csrf(), db.get_secret(), path='/')
def get_csrf(self): def get_csrf(self):
csrf_token = request.get_cookie('csrf') csrf_token = request.get_cookie('csrf', secret=db.get_secret())
if not csrf_token: if not csrf_token:
allchar = "1234567890" allchar = "0123456789"
csrf_token = "".join(choice(allchar) for x in [32]) csrf_token = "".join(choice(allchar) for x in range(32))
return csrf_token return csrf_token
def check_password(self, password): def check_password(self, password):