hardened the token and fixed the signature
This commit is contained in:
parent
ee9b051c71
commit
e735936c7a
|
@ -22,7 +22,8 @@ class SessionPlugin(object):
|
||||||
return redirect(self.loginpage)
|
return redirect(self.loginpage)
|
||||||
kwargs[self.keyword] = User(uid)
|
kwargs[self.keyword] = User(uid)
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
if request.forms['csrf'] != request.get_cookie('csrf'):
|
if request.forms['csrf'] != request.get_cookie('csrf',
|
||||||
|
secret=db.get_secret()):
|
||||||
abort(400)
|
abort(400)
|
||||||
return callback(*args, **kwargs)
|
return callback(*args, **kwargs)
|
||||||
|
|
||||||
|
|
6
user.py
6
user.py
|
@ -15,10 +15,10 @@ class User(object):
|
||||||
response.set_cookie('csrf', self.get_csrf(), db.get_secret(), path='/')
|
response.set_cookie('csrf', self.get_csrf(), db.get_secret(), path='/')
|
||||||
|
|
||||||
def get_csrf(self):
|
def get_csrf(self):
|
||||||
csrf_token = request.get_cookie('csrf')
|
csrf_token = request.get_cookie('csrf', secret=db.get_secret())
|
||||||
if not csrf_token:
|
if not csrf_token:
|
||||||
allchar = "1234567890"
|
allchar = "0123456789"
|
||||||
csrf_token = "".join(choice(allchar) for x in [32])
|
csrf_token = "".join(choice(allchar) for x in range(32))
|
||||||
return csrf_token
|
return csrf_token
|
||||||
|
|
||||||
def check_password(self, password):
|
def check_password(self, password):
|
||||||
|
|
Loading…
Reference in a new issue