Пример #1
0
    def generate_csrf_token():
        nonce = os.urandom(16)
        secret = session.setdefault('_csrf_secret', os.urandom(16))

        nonce_int = bytes_to_int(nonce)
        secret_int = bytes_to_int(secret)

        jsw = JSONWebSignatureSerializer(app.secret_key)
        token = jsw.dumps({
            "n": b64encode(nonce),
            "k": b64encode(int_to_bytes(nonce_int ^ secret_int))
        })

        return token
Пример #2
0
    def is_csrf_token_bad(token, csrf_secret):
        try:
            jsw = JSONWebSignatureSerializer(app.secret_key)
            tobj = jsw.loads(token)

            nonce_int = bytes_to_int(b64decode(tobj["n"]))
            key_int = bytes_to_int(b64decode(tobj["k"]))

            user_secret = int_to_bytes(nonce_int ^ key_int)

            return not constant_time_compare(
                user_secret,
                csrf_secret
            )
        except Exception:
            return True