write and read CSRF cookie
parent
bc7dc80b21
commit
d0feecc9b2
14
frontend.py
14
frontend.py
|
|
@ -144,6 +144,7 @@ def settings(user):
|
|||
|
||||
|
||||
@post('/settings/markdown')
|
||||
#csrf
|
||||
@view('template/settings.tpl')
|
||||
def update_markdown(user):
|
||||
user.set_markdown(request.forms['markdown'])
|
||||
|
|
@ -151,6 +152,7 @@ def update_markdown(user):
|
|||
|
||||
|
||||
@post('/settings/mail_md')
|
||||
#csrf
|
||||
@view('template/settings.tpl')
|
||||
def update_mail_md(user):
|
||||
user.set_mail_md(request.forms['mail_md'])
|
||||
|
|
@ -158,6 +160,7 @@ def update_mail_md(user):
|
|||
|
||||
|
||||
@post('/settings/goodlist')
|
||||
#csrf
|
||||
@view('template/settings.tpl')
|
||||
def update_trigger_patterns(user):
|
||||
user.set_trigger_words(request.forms['goodlist'])
|
||||
|
|
@ -165,6 +168,7 @@ def update_trigger_patterns(user):
|
|||
|
||||
|
||||
@post('/settings/blocklist')
|
||||
#csrf
|
||||
@view('template/settings.tpl')
|
||||
def update_badwords(user):
|
||||
user.set_badwords(request.forms['blocklist'])
|
||||
|
|
@ -172,15 +176,17 @@ def update_badwords(user):
|
|||
|
||||
|
||||
@post('/settings/telegram')
|
||||
#csrf
|
||||
def register_telegram(user):
|
||||
apikey = request.forms['apikey']
|
||||
user.update_telegram_key(apikey)
|
||||
return city_page(user.get_city(), info="Thanks for registering Telegram!")
|
||||
|
||||
|
||||
@get('/api/state')
|
||||
def api_enable(user):
|
||||
return user.state()
|
||||
# unused afaik
|
||||
#@get('/api/state')
|
||||
#def api_enable(user):
|
||||
# return user.state()
|
||||
|
||||
|
||||
@get('/static/<filename:path>')
|
||||
|
|
@ -197,6 +203,7 @@ def guides(filename):
|
|||
def logout():
|
||||
# clear auth cookie
|
||||
response.set_cookie('uid', '', expires=0, path="/")
|
||||
response.set_cookie('csrf', '', expires=0, path="/")
|
||||
# :todo show info "Logout successful."
|
||||
redirect('/')
|
||||
|
||||
|
|
@ -240,6 +247,7 @@ def twitter_callback(user):
|
|||
|
||||
|
||||
@post('/login/mastodon')
|
||||
#csrf
|
||||
def login_mastodon(user):
|
||||
"""
|
||||
Mastodon OAuth authentication process.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
from bottle import redirect, request
|
||||
from bottle import redirect, request, abort, response
|
||||
from db import db
|
||||
from functools import wraps
|
||||
from inspect import Signature
|
||||
|
|
@ -21,6 +21,9 @@ class SessionPlugin(object):
|
|||
if uid is None:
|
||||
return redirect(self.loginpage)
|
||||
kwargs[self.keyword] = User(uid)
|
||||
if request.method == 'POST':
|
||||
if request.forms['csrf'] != request.get_cookie('csrf'):
|
||||
abort(400)
|
||||
return callback(*args, **kwargs)
|
||||
|
||||
return wrapper
|
||||
|
|
|
|||
|
|
@ -106,6 +106,7 @@
|
|||
</p>
|
||||
<form action="/settings/markdown" method="post">
|
||||
<textarea id="markdown" rows="20" cols="70" name="markdown" wrap="physical">{{markdown}}</textarea>
|
||||
<input name='csrf' value='asdf' type='hidden' />
|
||||
<input name='confirm' value='Save' type='submit'/>
|
||||
</form>
|
||||
</div>
|
||||
|
|
|
|||
4
user.py
4
user.py
|
|
@ -4,12 +4,16 @@ from db import db
|
|||
import jwt
|
||||
from mastodon import Mastodon
|
||||
from pylibscrypt import scrypt_mcf, scrypt_mcf_check
|
||||
from random import choice
|
||||
|
||||
|
||||
class User(object):
|
||||
def __init__(self, uid):
|
||||
# set cookie
|
||||
response.set_cookie('uid', uid, secret=db.get_secret(), path='/')
|
||||
allchar = "1234567890"
|
||||
response.set_cookie('csrf', "".join(choice(allchar) for x in [32]),
|
||||
db.get_secret(), path='/')
|
||||
self.uid = uid
|
||||
|
||||
def check_password(self, password):
|
||||
|
|
|
|||
Loading…
Reference in New Issue