From e735936c7ad8906dc2d8b5e1251578f7c20de3b0 Mon Sep 17 00:00:00 2001
From: b3yond <b3yond@riseup.net>
Date: Sun, 27 Jan 2019 16:31:59 +0100
Subject: [PATCH] hardened the token and fixed the signature

---
 session.py | 3 ++-
 user.py    | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/session.py b/session.py
index b1a0b62..ccda7bb 100644
--- a/session.py
+++ b/session.py
@@ -22,7 +22,8 @@ class SessionPlugin(object):
                     return redirect(self.loginpage)
                 kwargs[self.keyword] = User(uid)
                 if request.method == 'POST':
-                    if request.forms['csrf'] != request.get_cookie('csrf'):
+                    if request.forms['csrf'] != request.get_cookie('csrf',
+                                                        secret=db.get_secret()):
                         abort(400)
                 return callback(*args, **kwargs)
 
diff --git a/user.py b/user.py
index 4ec7fc8..4ff1db1 100644
--- a/user.py
+++ b/user.py
@@ -15,10 +15,10 @@ class User(object):
         response.set_cookie('csrf', self.get_csrf(), db.get_secret(), path='/')
 
     def get_csrf(self):
-        csrf_token = request.get_cookie('csrf')
+        csrf_token = request.get_cookie('csrf', secret=db.get_secret())
         if not csrf_token:
-            allchar = "1234567890"
-            csrf_token = "".join(choice(allchar) for x in [32])
+            allchar = "0123456789"
+            csrf_token = "".join(choice(allchar) for x in range(32))
         return csrf_token
 
     def check_password(self, password):