diff options
| author | Roald de Vries <rdevries@thoughtworks.com> | 2016-11-30 16:11:27 +0100 |
|---|---|---|
| committer | Roald de Vries <rdevries@thoughtworks.com> | 2016-11-30 16:11:27 +0100 |
| commit | 13378255c02b97184132881599ed47826963f54a (patch) | |
| tree | 01a47f844f581a12dae9d022be19d4010433633e /service/pixelated/resources | |
| parent | a493da72d53fe90d679d7fa1980dd185415d9be3 (diff) | |
add csrf token to login form
Diffstat (limited to 'service/pixelated/resources')
| -rw-r--r-- | service/pixelated/resources/login_resource.py | 6 | ||||
| -rw-r--r-- | service/pixelated/resources/session.py | 10 |
2 files changed, 16 insertions, 0 deletions
diff --git a/service/pixelated/resources/login_resource.py b/service/pixelated/resources/login_resource.py index fec4307e..7d61ddce 100644 --- a/service/pixelated/resources/login_resource.py +++ b/service/pixelated/resources/login_resource.py @@ -108,6 +108,11 @@ class LoginWebSite(Element): return tag('') @renderer + def csrftoken(self, request, tag): + tag.fillSlots(csrftoken=IPixelatedSession(request.getSession()).get_csrf_token()) + return tag + + @renderer def disclaimer(self, request, tag): return DisclaimerElement(self.disclaimer_banner_file).render(request) @@ -140,6 +145,7 @@ class LoginResource(BaseResource): return NoResource() def render_GET(self, request): + request.getSession() request.setResponseCode(OK) return self._render_template(request) diff --git a/service/pixelated/resources/session.py b/service/pixelated/resources/session.py index 9ade8d29..0e46ad8f 100644 --- a/service/pixelated/resources/session.py +++ b/service/pixelated/resources/session.py @@ -13,11 +13,15 @@ # # You should have received a copy of the GNU Affero General Public License # along with Pixelated. If not, see <http://www.gnu.org/licenses/>. +import hashlib +import os from zope.interface import Interface, Attribute, implements from twisted.python.components import registerAdapter from twisted.web.server import Session +CSRF_TOKEN_LENGTH = 32 + class IPixelatedSession(Interface): user_uuid = Attribute('The uuid of the currently logged in user') @@ -28,6 +32,7 @@ class PixelatedSession(object): def __init__(self, session): self.user_uuid = None + self._csrf_token = None def is_logged_in(self): return self.user_uuid is not None @@ -35,5 +40,10 @@ class PixelatedSession(object): def expire(self): self.user_uuid = None + def get_csrf_token(self): + if self._csrf_token is None: + self._csrf_token = hashlib.sha256(os.urandom(CSRF_TOKEN_LENGTH)).hexdigest() + return self._csrf_token + registerAdapter(PixelatedSession, Session, IPixelatedSession) |