def csrfProtect(self, requestToken=None):
if shared._csrfExempt:
return
if not request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
return
sessionToken = session.get('_csrfToken', None)
if not sessionToken:
# CSRF token missing
abort(403)
config = ConfigManager.getConfig()
secretKey = config['SECRET_KEY']
hmacCompare = hmac.new(secretKey, str(sessionToken).encode('utf-8'), digestmod=sha1)
token = requestToken if requestToken is not None else request.form.get('_csrfToken')
if hmacCompare.hexdigest() != token:
# invalid CSRF token
if self.csrfHandler:
self.csrfHandler(*self.app.matchRequest())
else:
abort(403)
if not self.checkCSRFExpire(token):
# CSRF token expired
abort(403)
def checkCSRFExpire(self, requestToken):
csrfCreateAt = session.get('_csrfTokenAdded', None)
expire = self.app.config.get('CSRF_EXPIRE', None)
if expire is None:
return True
now = datetime.datetime.now()
currentTime = time.mktime(now.timetuple())
term = currentTime - csrfCreateAt
if term > expire:
return False
return True
