From 0bb7304f7cb87aed31f588bf40ae0a7fd949c2ba Mon Sep 17 00:00:00 2001
From: Roald de Vries <rdevries@thoughtworks.com>
Date: Tue, 29 Nov 2016 11:10:26 +0100
Subject: move adding csrf to base resource

---
 service/pixelated/resources/__init__.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'service/pixelated/resources/__init__.py')

diff --git a/service/pixelated/resources/__init__.py b/service/pixelated/resources/__init__.py
index 11611f0b..97346a6f 100644
--- a/service/pixelated/resources/__init__.py
+++ b/service/pixelated/resources/__init__.py
@@ -13,8 +13,9 @@
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
-
+import hashlib
 import json
+import os
 
 from twisted.web.http import UNAUTHORIZED
 from twisted.web.resource import Resource
@@ -26,6 +27,8 @@ from twisted.web.http import INTERNAL_SERVER_ERROR, SERVICE_UNAVAILABLE
 
 log = Logger()
 
+CSRF_TOKEN_LENGTH = 32
+
 
 class SetEncoder(json.JSONEncoder):
     def default(self, obj):
@@ -62,6 +65,11 @@ class BaseResource(Resource):
         Resource.__init__(self)
         self._services_factory = services_factory
 
+    def _add_csrf_cookie(self, request):
+        csrf_token = hashlib.sha256(os.urandom(CSRF_TOKEN_LENGTH)).hexdigest()
+        request.addCookie('XSRF-TOKEN', csrf_token)
+        log.debug('XSRF-TOKEN added: %s' % csrf_token)
+
     def _get_user_id_from_request(self, request):
         if self._services_factory.mode.is_single_user:
             return None  # it doesn't matter
-- 
cgit v1.2.3