def gen_api_token(self): tok = M.ApiToken.query.get(user_id=c.user._id) if tok is None: tok = M.ApiToken(user_id=c.user._id) else: tok.secret_key = h.cryptographic_nonce() redirect(request.referer)
def __call__(self, environ, start_response): req = Request(environ) # enforce POSTs cookie = req.cookies.get(self._cookie_name, None) if cookie is None: cookie = h.cryptographic_nonce() if req.method == 'POST': param = req.str_POST.pop(self._param_name, None) if cookie != param: log.warning('CSRF attempt detected, %r != %r', cookie, param) environ.pop('HTTP_COOKIE', None) # effectively kill the existing session if req.path.startswith('/auth/'): # for operations where you're not logged in yet (e.g. login form, pwd recovery, etc), then killing # the session doesn't help, so we block the request entirely resp = exc.HTTPForbidden() return resp(environ, start_response) # Set cookie for use in later forms: # in addition to setting a cookie, set this so its available on first response before cookie gets created in browser environ[self._cookie_name] = cookie def session_start_response(status, headers, exc_info=None): if dict(headers).get('Content-Type', '').startswith('text/html'): headers.append( ('Set-cookie', str('%s=%s; Path=/' % (self._cookie_name, cookie)))) return start_response(status, headers, exc_info) return self._app(environ, session_start_response)
def __call__(self, environ, start_response): req = Request(environ) # enforce POSTs cookie = req.cookies.get(self._cookie_name, None) if cookie is None: cookie = h.cryptographic_nonce() if req.method == 'POST': param = req.POST.pop(self._param_name, None) if cookie != param: log.warning('CSRF attempt detected: cookie %r != param %r', cookie, param) environ.pop('HTTP_COOKIE', None) # effectively kill the existing session if req.path.startswith('/auth/'): # for operations where you're not logged in yet (e.g. login form, pwd recovery, etc), then killing # the session doesn't help, so we block the request entirely resp = exc.HTTPForbidden() return resp(environ, start_response) # Set cookie for use in later forms: # in addition to setting a cookie, set this so its available on first response before cookie gets created in browser environ[self._cookie_name] = cookie def session_start_response(status, headers, exc_info=None): if dict(headers).get('Content-Type', '').startswith('text/html'): headers.append( ('Set-cookie', str('%s=%s; Path=/' % (self._cookie_name, cookie)))) return start_response(status, headers, exc_info) return self._app(environ, session_start_response)
def __call__(self, environ, start_response): req = Request(environ) cookie = req.cookies.get(self._cookie_name, None) if cookie is None: cookie = h.cryptographic_nonce() if req.method == 'POST': param = req.str_POST.pop(self._param_name, None) if cookie != param: log.warning('CSRF attempt detected, %r != %r', cookie, param) environ.pop('HTTP_COOKIE', None) def session_start_response(status, headers, exc_info = None): headers.append( ('Set-cookie', str('%s=%s; Path=/' % (self._cookie_name, cookie)))) return start_response(status, headers, exc_info) return self._app(environ, session_start_response)
def __call__(self, environ, start_response): req = Request(environ) # enforce POSTs cookie = req.cookies.get(self._cookie_name, None) if cookie is None: cookie = h.cryptographic_nonce() # protect application/x-www-form-urlencoded or multipart/form-data (or maybe blank) from browser forms if req.method == 'POST' and req.content_type != 'application/json': try: param = req.POST.pop(self._param_name, None) except KeyError: log.debug('error getting %s from POST', self._param_name, exc_info=True) param = None if cookie != param: log.warning('CSRF attempt detected: cookie %r != param %r', cookie, param) environ.pop('HTTP_COOKIE', None) # effectively kill the existing session if req.path.startswith('/auth/'): # for operations where you're not logged in yet (e.g. login form, pwd recovery, etc), then killing # the session doesn't help, so we block the request entirely resp = exc.HTTPForbidden() return resp(environ, start_response) # Set cookie for use in later forms: # in addition to setting a cookie, set this so its available on first response before cookie gets created in browser environ[self._cookie_name] = cookie def session_start_response(status, headers, exc_info=None): if dict(headers).get('Content-Type', '').startswith('text/html'): use_secure = 'secure; ' if environ['beaker.session'].secure else '' headers.append( (str('Set-cookie'), str('%s=%s; %sPath=/' % (self._cookie_name, cookie, use_secure)))) return start_response(status, headers, exc_info) return self._app(environ, session_start_response)
def gen_secret(self): return h.cryptographic_nonce(20)