Esempio n. 1
0
def check_csrf():
    """Verifies one of the following is true, or aborts with 400.

  a) the request includes a valid CSRF token
  b) the origin is explicitly allowed
  c) the request includes a valid internal token
  """
    if request.method in ['OPTIONS', 'GET']:
        return

    try:
        validate_csrf(request.headers.get('X-CSRFToken'))

        return
    except ValidationError:
        pass

    if request.headers.get('origin') in ADDITIONAL_ALLOWED_ORIGINS:
        return

    if request.path in csrf_exempt_paths:
        return

    try:
        validate_internal_request(request)

        return
    except InvalidInternalToken:
        pass

    abort(400, 'Invalid CSRF token.')
Esempio n. 2
0
    def test_validate_internal_request__no_token(self):
        mock_request = Mock()

        mock_request.headers = {}

        with self.assertRaises(services.InvalidInternalToken) as cm:
            services.validate_internal_request(mock_request)

        self.assertEqual('no token', str(cm.exception))
Esempio n. 3
0
    def test_validate_internal_request__invalid_signature__no_exp(
            self, mock_get_config_by_key_path):
        token = jwt.encode({'url': 'https://trot.to/api/users'},
                           'so_secret',
                           algorithm='HS256')

        mock_request = Mock()

        mock_request.headers = {'X-Token': token}
        mock_request.url = 'https://trot.to/api/users'

        with self.assertRaises(services.InvalidInternalToken) as cm:
            services.validate_internal_request(mock_request)

        self.assertEqual('missing exp', str(cm.exception))

        mock_get_config_by_key_path.assert_called_once_with(['signing_secret'])
Esempio n. 4
0
    def test_validate_internal_request__mismatched_url(
            self, mock_get_config_by_key_path):
        token = jwt.encode(
            {
                'exp':
                datetime.datetime.utcnow() + datetime.timedelta(seconds=30),
                'url': 'https://trot.to/api/users/1'
            },
            'so_secret',
            algorithm='HS256')

        mock_request = Mock()

        mock_request.headers = {'X-Token': token}
        mock_request.url = 'https://trot.to/api/users'

        with self.assertRaises(services.InvalidInternalToken) as cm:
            services.validate_internal_request(mock_request)

        self.assertEqual('mismatched URL', str(cm.exception))

        mock_get_config_by_key_path.assert_called_once_with(['signing_secret'])
Esempio n. 5
0
    def test_validate_internal_request__valid_token(
            self, mock_get_config_by_key_path):
        token = jwt.encode(
            {
                'exp':
                datetime.datetime.utcnow() + datetime.timedelta(seconds=30),
                'url': 'https://trot.to/api/users'
            },
            'so_secret',
            algorithm='HS256')

        mock_request = Mock()

        mock_request.headers = {'X-Token': token}
        mock_request.url = 'https://trot.to/api/users'

        self.assertEqual(True,
                         services.validate_internal_request(mock_request))

        mock_get_config_by_key_path.assert_called_once_with(['signing_secret'])
Esempio n. 6
0
def get_users():
    services.validate_internal_request(request)

    return jsonify([{'id': 1}])