def testExpiredTokenDoesNotVerify(self): now = int(time.time()) - (xsrf.DEFAULT_TIMEOUT_ + 1) token = xsrf.GenerateToken(self.key, 'user', '*', now) self.assertFalse(xsrf.ValidateToken(self.key, 'user', token)) self.assertTrue( xsrf.ValidateToken(self.key, 'user', token, '*', xsrf.DEFAULT_TIMEOUT_ * 2))
def _RequestContainsValidXsrfToken(self): token = self.request.get('xsrf') or self.request.headers.get('X-XSRF-Token') # By default, Angular's $http service will add quotes around the # X-XSRF-TOKEN. if (token and self.app.config.get('using_angular', constants.DEFAULT_ANGULAR) and token[0] == '"' and token[-1] == '"'): token = token[1:-1] if xsrf.ValidateToken(_GetXsrfKey(), self.current_user.email(), token): return True return False
def testTokenWithDifferentActionsFail(self): token = xsrf.GenerateToken(self.key, 'user', 'a') self.assertFalse(xsrf.ValidateToken(self.key, 'user', token, 'b'))
def testTokenWithDifferentUsersFail(self): token = xsrf.GenerateToken(self.key, 'user') self.assertFalse(xsrf.ValidateToken(self.key, 'otheruser', token))
def testTokenWithNoActionVerifies(self): token = xsrf.GenerateToken(self.key, 'user') self.assertTrue(xsrf.ValidateToken(self.key, 'user', token))