def generate_csrf_token(): nonce = os.urandom(16) secret = session.setdefault('_csrf_secret', os.urandom(16)) nonce_int = bytes_to_int(nonce) secret_int = bytes_to_int(secret) jsw = JSONWebSignatureSerializer(app.secret_key) token = jsw.dumps({ "n": _bytes_to_str(b64encode(nonce)), "k": _bytes_to_str(b64encode(int_to_bytes(nonce_int ^ secret_int))) }) return _bytes_to_str(token)
def generate_csrf_token(): nonce = os.urandom(16) secret = session.setdefault('_csrf_secret', os.urandom(16)) nonce_int = bytes_to_int(nonce) secret_int = bytes_to_int(secret) jsw = JSONWebSignatureSerializer(app.secret_key) token = jsw.dumps({ "n": b64encode(nonce), "k": b64encode(int_to_bytes(nonce_int ^ secret_int)) }) return token
def is_csrf_token_bad(token, csrf_secret): try: jsw = JSONWebSignatureSerializer(app.secret_key) tobj = jsw.loads(token) nonce_int = bytes_to_int(b64decode(_str_to_bytes(tobj["n"]))) key_int = bytes_to_int(b64decode(_str_to_bytes(tobj["k"]))) user_secret = int_to_bytes(nonce_int ^ key_int) return not constant_time_compare( user_secret, csrf_secret ) except Exception: return True
def is_csrf_token_bad(token, csrf_secret): try: jsw = JSONWebSignatureSerializer(app.secret_key) tobj = jsw.loads(token) nonce_int = bytes_to_int(b64decode(tobj["n"])) key_int = bytes_to_int(b64decode(tobj["k"])) user_secret = int_to_bytes(nonce_int ^ key_int) return not constant_time_compare( user_secret, csrf_secret ) except Exception: return True