def check_csrf():
"""Verifies one of the following is true, or aborts with 400.
a) the request includes a valid CSRF token
b) the origin is explicitly allowed
c) the request includes a valid internal token
"""
if request.method in ['OPTIONS', 'GET']:
return
try:
validate_csrf(request.headers.get('X-CSRFToken'))
return
except ValidationError:
pass
if request.headers.get('origin') in ADDITIONAL_ALLOWED_ORIGINS:
return
if request.path in csrf_exempt_paths:
return
try:
validate_internal_request(request)
return
except InvalidInternalToken:
pass
abort(400, 'Invalid CSRF token.')
def test_validate_internal_request__no_token(self):
mock_request = Mock()
mock_request.headers = {}
with self.assertRaises(services.InvalidInternalToken) as cm:
services.validate_internal_request(mock_request)
self.assertEqual('no token', str(cm.exception))
def test_validate_internal_request__invalid_signature__no_exp(
self, mock_get_config_by_key_path):
token = jwt.encode({'url': 'https://trot.to/api/users'},
'so_secret',
algorithm='HS256')
mock_request = Mock()
mock_request.headers = {'X-Token': token}
mock_request.url = 'https://trot.to/api/users'
with self.assertRaises(services.InvalidInternalToken) as cm:
services.validate_internal_request(mock_request)
self.assertEqual('missing exp', str(cm.exception))
mock_get_config_by_key_path.assert_called_once_with(['signing_secret'])
def test_validate_internal_request__mismatched_url(
self, mock_get_config_by_key_path):
token = jwt.encode(
{
'exp':
datetime.datetime.utcnow() + datetime.timedelta(seconds=30),
'url': 'https://trot.to/api/users/1'
},
'so_secret',
algorithm='HS256')
mock_request = Mock()
mock_request.headers = {'X-Token': token}
mock_request.url = 'https://trot.to/api/users'
with self.assertRaises(services.InvalidInternalToken) as cm:
services.validate_internal_request(mock_request)
self.assertEqual('mismatched URL', str(cm.exception))
mock_get_config_by_key_path.assert_called_once_with(['signing_secret'])
def test_validate_internal_request__valid_token(
self, mock_get_config_by_key_path):
token = jwt.encode(
{
'exp':
datetime.datetime.utcnow() + datetime.timedelta(seconds=30),
'url': 'https://trot.to/api/users'
},
'so_secret',
algorithm='HS256')
mock_request = Mock()
mock_request.headers = {'X-Token': token}
mock_request.url = 'https://trot.to/api/users'
self.assertEqual(True,
services.validate_internal_request(mock_request))
mock_get_config_by_key_path.assert_called_once_with(['signing_secret'])
def get_users():
services.validate_internal_request(request)
return jsonify([{'id': 1}])
