def csrf_handler(app, request, next_handler):
token = get_token(request)
header = get_header(request)
if request.method not in SAFE_HTTP_METHODS:
if request.resource_config.csrf_exempt:
log.debug('CSRF: exempt: {}'.format(request.url))
else:
if request.scheme == 'https':
if request.referer is None:
_forbid('no REFERER for secure request')
if not _same_origin(request.url, request.referer):
_forbid('origins differ: got {}; expected {}'.format(
request.referer, request.url))
if token in request.session:
expected_token = request.session[token]
else:
_forbid('token not present in session')
if token in request.cookies:
cookie_token = request.unmask_csrf_token(
request.cookies[token])
if not constant_time_compare(cookie_token, expected_token):
_forbid(
'cookie token mismatch: got {}; expected {}'.format(
cookie_token, expected_token))
else:
_forbid('token not present in cookies')
if token in request.POST:
post_token = request.unmask_csrf_token(request.POST[token])
if not constant_time_compare(post_token, expected_token):
_forbid('POST token mismatch: got {}; expected {}'.format(
post_token, expected_token))
del request.POST[token]
elif header in request.headers:
token = request.unmask_csrf_token(request.headers[header])
if not constant_time_compare(token, expected_token):
_forbid(
'header token mismatch: got {}; expected {}'.format(
token, expected_token))
else:
_forbid('no token present (in POST params or headers)')
log.debug('CSRF: token validated')
response = next_handler(app, request)
if request.method in ('GET', 'HEAD'):
one_year_from_now = datetime.utcnow() + timedelta(days=365)
token = request.masked_csrf_token
response.set_cookie(token, token, expires=one_year_from_now)
log.debug('CSRF: cookie set')
return response
def csrf_handler(app, request, next_handler):
if request.method not in SAFE_HTTP_METHODS:
if request.resource_config.csrf_exempt:
log.debug("CSRF: exempt: {}".format(request.url))
else:
if request.scheme == "https":
if request.referer is None:
_forbid("no REFERER for secure request")
if not _same_origin(request.url, request.referer):
_forbid("origins differ: got {}; expected {}".format(request.referer, request.url))
if KEY in request.session:
expected_token = request.session[KEY]
else:
_forbid("token not present in session")
if KEY in request.cookies:
cookie_token = request.unmask_csrf_token(request.cookies[KEY])
if not constant_time_compare(cookie_token, expected_token):
_forbid("cookie token mismatch: got {}; expected {}".format(cookie_token, expected_token))
else:
_forbid("token not present in cookies")
if KEY in request.POST:
post_token = request.unmask_csrf_token(request.POST[KEY])
if not constant_time_compare(post_token, expected_token):
_forbid("POST token mismatch: got {}; expected {}".format(post_token, expected_token))
del request.POST[KEY]
elif HEADER in request.headers:
token = request.unmask_csrf_token(request.headers[HEADER])
if not constant_time_compare(token, expected_token):
_forbid("header token mismatch: got {}; expected {}".format(token, expected_token))
else:
_forbid("no token present (in POST params or headers)")
log.debug("CSRF: token validated")
response = next_handler(app, request)
if request.method in ("GET", "HEAD"):
one_year_from_now = datetime.utcnow() + timedelta(days=365)
token = request.masked_csrf_token
response.set_cookie(KEY, token, expires=one_year_from_now)
log.debug("CSRF: cookie set")
return response
def passwords_equal(plain_text_password, hashed_password):
"""Compare a plain text password to a hashed password."""
plain_text_password_hashed = hash_password(
plain_text_password, hashed_password)
return constant_time_compare(plain_text_password_hashed, hashed_password)
