diff options
author | Roald de Vries <rdevries@thoughtworks.com> | 2016-11-29 11:10:26 +0100 |
---|---|---|
committer | Roald de Vries <rdevries@thoughtworks.com> | 2016-11-29 11:10:26 +0100 |
commit | 0bb7304f7cb87aed31f588bf40ae0a7fd949c2ba (patch) | |
tree | 6d1046d520b7dafac887a2bf75e5154cc1d5f88a /service/pixelated/resources/__init__.py | |
parent | b50db20c0a6603a3ea5f0b704baee1983fc34c1d (diff) |
move adding csrf to base resource
Diffstat (limited to 'service/pixelated/resources/__init__.py')
-rw-r--r-- | service/pixelated/resources/__init__.py | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/service/pixelated/resources/__init__.py b/service/pixelated/resources/__init__.py index 11611f0b..97346a6f 100644 --- a/service/pixelated/resources/__init__.py +++ b/service/pixelated/resources/__init__.py @@ -13,8 +13,9 @@ # # You should have received a copy of the GNU Affero General Public License # along with Pixelated. If not, see <http://www.gnu.org/licenses/>. - +import hashlib import json +import os from twisted.web.http import UNAUTHORIZED from twisted.web.resource import Resource @@ -26,6 +27,8 @@ from twisted.web.http import INTERNAL_SERVER_ERROR, SERVICE_UNAVAILABLE log = Logger() +CSRF_TOKEN_LENGTH = 32 + class SetEncoder(json.JSONEncoder): def default(self, obj): @@ -62,6 +65,11 @@ class BaseResource(Resource): Resource.__init__(self) self._services_factory = services_factory + def _add_csrf_cookie(self, request): + csrf_token = hashlib.sha256(os.urandom(CSRF_TOKEN_LENGTH)).hexdigest() + request.addCookie('XSRF-TOKEN', csrf_token) + log.debug('XSRF-TOKEN added: %s' % csrf_token) + def _get_user_id_from_request(self, request): if self._services_factory.mode.is_single_user: return None # it doesn't matter |