def check_csrf(self): """ Get a CSRF token from CGI request headers and validate it. If validation fails, render an error and exit early. In our current JSONRPC style, we can send custom headers, so we look for the CSRF token in a header. We may switch to a form-submission-based approach, in which case we would need to update this code to look for a CSRF token in the POST parameters. """ if (self.HTTP_X_CSRF_TOKEN in os.environ and self.is_csrf_token(os.environ[self.HTTP_X_CSRF_TOKEN])): pass else: common.render_error('Invalid CSRF token.')
def is_password(self, candidate): """ Returns true iff the candidate password equals the stored one. """ if self.rate_limit_remaining() > 0: with open(self.password_filename, 'r') as f: hashed = f.read().strip() if hashed == pbkdf2.crypt(candidate, unicode(hashed)): return True else: # Increment rate limit on failures. self.increment_rate_limit() return False else: common.render_error('Too many failed login attempts. Try again tomorrow.')
def is_password(self, candidate): """ Returns true iff the candidate password equals the stored one. """ if self.rate_limit_remaining() > 0: with open(self.password_filename, 'r') as f: hashed = f.read().strip() if hashed == pbkdf2.crypt(candidate, unicode(hashed)): return True else: # Increment rate limit on failures. self.increment_rate_limit() return False else: common.render_error( 'Too many failed login attempts. Try again tomorrow.')