def check_csrf(self):
"""
Get a CSRF token from CGI request headers and validate it. If validation
fails, render an error and exit early.
In our current JSONRPC style, we can send custom headers, so we look for the
CSRF token in a header. We may switch to a form-submission-based approach,
in which case we would need to update this code to look for a CSRF token in
the POST parameters.
"""
if (self.HTTP_X_CSRF_TOKEN in os.environ and
self.is_csrf_token(os.environ[self.HTTP_X_CSRF_TOKEN])):
pass
else:
common.render_error('Invalid CSRF token.')
def check_csrf(self):
"""
Get a CSRF token from CGI request headers and validate it. If validation
fails, render an error and exit early.
In our current JSONRPC style, we can send custom headers, so we look for the
CSRF token in a header. We may switch to a form-submission-based approach,
in which case we would need to update this code to look for a CSRF token in
the POST parameters.
"""
if (self.HTTP_X_CSRF_TOKEN in os.environ
and self.is_csrf_token(os.environ[self.HTTP_X_CSRF_TOKEN])):
pass
else:
common.render_error('Invalid CSRF token.')
def is_password(self, candidate):
"""
Returns true iff the candidate password equals the stored one.
"""
if self.rate_limit_remaining() > 0:
with open(self.password_filename, 'r') as f:
hashed = f.read().strip()
if hashed == pbkdf2.crypt(candidate, unicode(hashed)):
return True
else:
# Increment rate limit on failures.
self.increment_rate_limit()
return False
else:
common.render_error('Too many failed login attempts. Try again tomorrow.')
def is_password(self, candidate):
"""
Returns true iff the candidate password equals the stored one.
"""
if self.rate_limit_remaining() > 0:
with open(self.password_filename, 'r') as f:
hashed = f.read().strip()
if hashed == pbkdf2.crypt(candidate, unicode(hashed)):
return True
else:
# Increment rate limit on failures.
self.increment_rate_limit()
return False
else:
common.render_error(
'Too many failed login attempts. Try again tomorrow.')
