def root_uri(req): cookie = PoorSession(req) if 'hash' in cookie.data: referer = create_referer(req, '/') token_tmp = get_token(secret, cookie.data['hash'], referer) token_ttl = get_token(secret, cookie.data['hash'], referer, 1) else: token_tmp = token_ttl = '' html = """ <!DOCTYPE html> <html> <head> <title>CSRF Protect test</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"/> <link rel="stylesheet" href="style.css"> </head> <body> <h1>CSRF Protect test</h1> <nav>Login state: {login}</nav> <p>Base test links for create and destroy login cookie. If login cookie is not present (user is not logged), no token is set.</p> <ul> <li><a href="/">/</a> - Right request referer</li> <li><a href="/not_valid">/not_valid</a> - Not valid request referer </li> <li><a href="/login">/login</a> - Create login cookie</li> <li><a href="/logout">/logout</a> - Destroy login cookie</li> </ul> <p>This is link generate request for CSFR protected uri. If you want it from <a href="/not_valid">/not_valid</a> link or without login cookie, you got 403 Forbidden Access error page. Otherwise, you got right output.</p> <ul> <li><a href="/protected?token_tmp={token_tmp}">/protected by cookie </a></li> <li><a href="/protected?token_ttl={token_ttl}">/protected by cookie and timeout</a></li> </ul> </body> </html> """.format(login=('hash' in cookie.data), uri=req.uri, token_tmp=token_tmp, token_ttl=token_ttl) return cleandoc(html)
def do_create_token(req, uri): """Creates token for uri.""" if isinstance(uri, unicode): uri = uri.encode("utf-8") return csrf.get_token(req.secret_key, req.user_hash, create_referer(req, uri))