Exemplo n.º 1
0
def get_csrf():
    if not current_app.config['TESTING']:
        rand = base64.urlsafe_b64encode(os.urandom(30))
        ip = get_ip()
        CSRF.update_csrf(ip, rand)
        db.session.commit()
        return rand
    else:
        return 'test'
Exemplo n.º 2
0
    def test_get(self):
        csrf = CSRF(ip='127.0.0.1', csrf='some_random_string')
        db.session.add(csrf)
        db.session.flush()

        same_csrf = CSRF.get('some_random_string')
        self.assertEqual(csrf, same_csrf)

        missing_csrf = CSRF.get('another_random_string')
        self.assertIsNone(missing_csrf)
Exemplo n.º 3
0
def oauth_callback():
    error = request.args.get('error')
    url = url_for('.homepage')
    if not error:
        csrf = request.args.get('state')
        code = request.args.get('code')
        # look up CSRF token for remember value, returnto URI, and to confirm validity
        stored_csrf = CSRF.get(csrf=csrf, ip=get_ip())
        if stored_csrf is None:
            flash("CSRF token mismatch. Please try again.")
            return redirect(url, code=307)
        opts = json.loads(stored_csrf.opts)
        stored_csrf.delete()
        remember = opts.get('remember', False)
        url = opts.get('returnto', url)
        # hit oauth2/token for an authorization code, then hit oauth2/userinfo to get a name/tz
        user_data = check_mb_account(code)
        if user_data:
            (username, tz) = user_data
            Editor.add_or_update(username, tz)
            login_user(User(username, tz), remember=remember)
            flash("Logged in successfully!")
        else:
            flash("We couldn't log you in D:")
            url = url_for('.homepage')
    else:
        flash('There was an error: %s' % error)
    db.session.commit()
    return redirect(url, code=307)
Exemplo n.º 4
0
def login_redirect():
    args = urlencode({
        'client_id': current_app.config['OAUTH_CLIENT_ID'],
        'redirect_uri': current_app.config['OAUTH_REDIRECT_URI'],
        'state': request.args['csrf'],
        'response_type': 'code',
        'scope': 'profile'
    })
    redirect_uri = 'https://musicbrainz.org/oauth2/authorize?%s' % args
    # Update csrf row with the remember me option and returnto URI
    opts = {}
    if request.args.get('remember'):
        opts['remember'] = True
    if request.args.get('returnto'):
        opts['returnto'] = request.args.get('returnto')
    CSRF.update_opts(opts, request.args['csrf'])
    db.session.commit()
    return redirect(redirect_uri, code=307)
Exemplo n.º 5
0
    def test_update(self):
        self.assertEqual(CSRF.query.count(), 0)

        ip = '127.0.0.1'

        # Adding first row that will be removed later
        csrf_1 = CSRF(ip=ip, csrf='random', timestamp=datetime.today() - timedelta(hours=2))
        db.session.add(csrf_1)
        db.session.flush()
        self.assertEqual(CSRF.query.count(), 1)

        CSRF.update_csrf(ip, 'another_random')

        # csrf_1 should be replaced with the new row.
        rows = CSRF.query.all()
        self.assertEqual(len(rows), 1)
        self.assertEqual(rows[0].ip, ip)
        self.assertEqual(rows[0].csrf, 'another_random')

        # If we update one more time within 1 hour, both rows should be present.
        CSRF.update_csrf(ip, 'one_more_random')
        self.assertEqual(CSRF.query.count(), 2)
Exemplo n.º 6
0
def get_csrf():
    ip = get_ip()
    rand = base64.urlsafe_b64encode(os.urandom(30))
    CSRF.update_csrf(ip, rand)
    db.session.commit()
    return rand