def test_build_and_parse_state(self):
secret = appengine.xsrf_secret_key()
# Secret shouldn't change from call to call.
secret2 = appengine.xsrf_secret_key()
self.assertEqual(secret, secret2)
# Secret shouldn't change if memcache goes away.
memcache.delete(appengine.XSRF_MEMCACHE_ID, namespace=appengine.OAUTH2CLIENT_NAMESPACE)
secret3 = appengine.xsrf_secret_key()
self.assertEqual(secret2, secret3)
# Secret should change if both memcache and the model goes away.
memcache.delete(appengine.XSRF_MEMCACHE_ID, namespace=appengine.OAUTH2CLIENT_NAMESPACE)
model = appengine.SiteXsrfSecretKey.get_or_insert("site")
model.delete()
secret4 = appengine.xsrf_secret_key()
self.assertNotEqual(secret3, secret4)
def test_build_and_parse_state(self):
secret = appengine.xsrf_secret_key()
# Secret shouldn't change from call to call.
secret2 = appengine.xsrf_secret_key()
self.assertEqual(secret, secret2)
# Secret shouldn't change if memcache goes away.
memcache.delete(appengine.XSRF_MEMCACHE_ID,
namespace=appengine.OAUTH2CLIENT_NAMESPACE)
secret3 = appengine.xsrf_secret_key()
self.assertEqual(secret2, secret3)
# Secret should change if both memcache and the model goes away.
memcache.delete(appengine.XSRF_MEMCACHE_ID,
namespace=appengine.OAUTH2CLIENT_NAMESPACE)
model = appengine.SiteXsrfSecretKey.get_or_insert('site')
model.delete()
secret4 = appengine.xsrf_secret_key()
self.assertNotEqual(secret3, secret4)
def _validate_token(handler, *args, **kw):
"""Check xsrf token from POST field or header."""
token = handler.request.POST.get('xsrf_token')
token = token or handler.request.headers.get('x-xsrf-token')
if not token:
handler.abort(400, 'no token')
return
if isinstance(token, unicode):
token = token.encode('utf-8', errors='ignore')
valid = xsrfutil.validate_token(appengine.xsrf_secret_key(),
token,
users.get_current_user().user_id(),
action_id='x5')
if not valid:
handler.abort(400, 'invalid token')
else:
return method(handler, *args, **kw)
def generate_token():
"""Returns a generated xsrf token for current user."""
return xsrfutil.generate_token(appengine.xsrf_secret_key(),
users.get_current_user().user_id(),
action_id='x5')