move adding csrf to base resource

author: Roald de Vries <rdevries@thoughtworks.com> 2016-11-29 11:10:26 +0100
committer: Roald de Vries <rdevries@thoughtworks.com> 2016-11-29 11:10:26 +0100
commit: 0bb7304f7cb87aed31f588bf40ae0a7fd949c2ba (patch)
tree: 6d1046d520b7dafac887a2bf75e5154cc1d5f88a /service/pixelated/resources/__init__.py
parent: b50db20c0a6603a3ea5f0b704baee1983fc34c1d (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/service/pixelated/resources/__init__.py b/service/pixelated/resources/__init__.py
index 11611f0b..97346a6f 100644
--- a/service/pixelated/resources/__init__.py
+++ b/service/pixelated/resources/__init__.py
@@ -13,8 +13,9 @@
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
-
+import hashlib
 import json
+import os
 
 from twisted.web.http import UNAUTHORIZED
 from twisted.web.resource import Resource
@@ -26,6 +27,8 @@ from twisted.web.http import INTERNAL_SERVER_ERROR, SERVICE_UNAVAILABLE
 
 log = Logger()
 
+CSRF_TOKEN_LENGTH = 32
+
 
 class SetEncoder(json.JSONEncoder):
     def default(self, obj):
@@ -62,6 +65,11 @@ class BaseResource(Resource):
         Resource.__init__(self)
         self._services_factory = services_factory
 
+    def _add_csrf_cookie(self, request):
+        csrf_token = hashlib.sha256(os.urandom(CSRF_TOKEN_LENGTH)).hexdigest()
+        request.addCookie('XSRF-TOKEN', csrf_token)
+        log.debug('XSRF-TOKEN added: %s' % csrf_token)
+
     def _get_user_id_from_request(self, request):
         if self._services_factory.mode.is_single_user:
             return None  # it doesn't matter
author	Roald de Vries <rdevries@thoughtworks.com>	2016-11-29 11:10:26 +0100
committer	Roald de Vries <rdevries@thoughtworks.com>	2016-11-29 11:10:26 +0100
commit	0bb7304f7cb87aed31f588bf40ae0a7fd949c2ba (patch)
tree	6d1046d520b7dafac887a2bf75e5154cc1d5f88a /service/pixelated/resources/__init__.py
parent	b50db20c0a6603a3ea5f0b704baee1983fc34c1d (diff)