Esempio n. 1
0
def generate_csrf(secret_key=None, time_limit=None):
    """Generate csrf token code.
    :param secret_key: A secret key for mixing in the token,
                       default is Flask.secret_key.
    :param time_limit: Token valid in the time limit,
                       default is 3600s.
    """
    if not secret_key:
        secret_key = flask.current_app.config['SECRET_KEY']
        if not secret_key:
            raise ValueError('Must provide secret_key to use csrf.')

    if time_limit is None:
        time_limit = flask.current_app.config['CSRF_TOKEN_TIME_LIMIT']

    if 'csrf_token' not in flask.session:
        flask.session['csrf_token'] = hashlib.sha1(os.urandom(64)).hexdigest()

    if time_limit:
        expires = int(time.time() + time_limit)
        csrf_build = '%s%s' % (flask.session['csrf_token'], expires)
    else:
        expires = ''
        csrf_build = flask.session['csrf_token']

    hmac_csrf = hmac.new(
        _compat.to_bytes(secret_key),
        _compat.to_bytes(csrf_build),
        digestmod=hashlib.sha1
    ).hexdigest()
    return '%s##%s' % (expires, hmac_csrf)
Esempio n. 2
0
def validate_csrf(data, secret_key=None, time_limit=None):
    """Check if the given data is a valid csrf token.
    :param data: The csrf token value to be checked.
    :param secret_key: A secret key for mixing in the token,
                       default is Flask.secret_key.
    :param time_limit: Check if the csrf token is expired.
                       default is True.
    """
    if not data or '##' not in data:
        return False

    expires, hmac_csrf = data.split('##', 1)

    if time_limit is None:
        time_limit = flask.current_app.config['CSRF_TOKEN_TIME_LIMIT']

    if time_limit:
        try:
            expires = int(expires)
        except ValueError:
            return False

        now = int(time.time())
        if now > expires:
            return False

    if not secret_key:
        secret_key = flask.current_app.config['SECRET_KEY']
        if not secret_key:
            raise ValueError('Must provide secret_key to use csrf.')

    if 'csrf_token' not in flask.session:
        return False

    csrf_build = '%s%s' % (flask.session['csrf_token'], expires)
    hmac_compare = hmac.new(
        _compat.to_bytes(secret_key),
        _compat.to_bytes(csrf_build),
        digestmod=hashlib.sha1
    ).hexdigest()

    return werkzeug.security.safe_str_cmp(hmac_compare, hmac_csrf)