def root_uri(req):
cookie = PoorSession(req)
if 'hash' in cookie.data:
referer = create_referer(req, '/')
token_tmp = get_token(secret, cookie.data['hash'], referer)
token_ttl = get_token(secret, cookie.data['hash'], referer, 1)
else:
token_tmp = token_ttl = ''
html = """
<!DOCTYPE html>
<html>
<head>
<title>CSRF Protect test</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<link rel="stylesheet" href="style.css">
</head>
<body>
<h1>CSRF Protect test</h1>
<nav>Login state: {login}</nav>
<p>Base test links for create and destroy login cookie. If login
cookie is not present (user is not logged), no token is set.</p>
<ul>
<li><a href="/">/</a> - Right request referer</li>
<li><a href="/not_valid">/not_valid</a> - Not valid request referer
</li>
<li><a href="/login">/login</a> - Create login cookie</li>
<li><a href="/logout">/logout</a> - Destroy login cookie</li>
</ul>
<p>This is link generate request for CSFR protected uri. If you want it
from <a href="/not_valid">/not_valid</a> link or without login
cookie, you got 403 Forbidden Access error page. Otherwise, you got
right output.</p>
<ul>
<li><a href="/protected?token_tmp={token_tmp}">/protected by cookie
</a></li>
<li><a href="/protected?token_ttl={token_ttl}">/protected by cookie
and timeout</a></li>
</ul>
</body>
</html>
""".format(login=('hash' in cookie.data), uri=req.uri, token_tmp=token_tmp,
token_ttl=token_ttl)
return cleandoc(html)
def do_create_token(req, uri):
"""Creates token for uri."""
if isinstance(uri, unicode):
uri = uri.encode("utf-8")
return csrf.get_token(req.secret_key, req.user_hash, create_referer(req, uri))
