def testExpiredTokenDoesNotVerify(self):
now = int(time.time()) - (xsrf.DEFAULT_TIMEOUT_ + 1)
token = xsrf.GenerateToken(self.key, 'user', '*', now)
self.assertFalse(xsrf.ValidateToken(self.key, 'user', token))
self.assertTrue(
xsrf.ValidateToken(self.key, 'user', token, '*',
xsrf.DEFAULT_TIMEOUT_ * 2))
def _RequestContainsValidXsrfToken(self):
token = self.request.get('xsrf') or self.request.headers.get('X-XSRF-Token')
# By default, Angular's $http service will add quotes around the
# X-XSRF-TOKEN.
if (token and
self.app.config.get('using_angular', constants.DEFAULT_ANGULAR) and
token[0] == '"' and token[-1] == '"'):
token = token[1:-1]
if xsrf.ValidateToken(_GetXsrfKey(), self.current_user.email(),
token):
return True
return False
def testTokenWithDifferentActionsFail(self):
token = xsrf.GenerateToken(self.key, 'user', 'a')
self.assertFalse(xsrf.ValidateToken(self.key, 'user', token, 'b'))
def testTokenWithDifferentUsersFail(self):
token = xsrf.GenerateToken(self.key, 'user')
self.assertFalse(xsrf.ValidateToken(self.key, 'otheruser', token))
def testTokenWithNoActionVerifies(self):
token = xsrf.GenerateToken(self.key, 'user')
self.assertTrue(xsrf.ValidateToken(self.key, 'user', token))
