From 13378255c02b97184132881599ed47826963f54a Mon Sep 17 00:00:00 2001
From: Roald de Vries <rdevries@thoughtworks.com>
Date: Wed, 30 Nov 2016 16:11:27 +0100
Subject: add csrf token to login form

---
 service/pixelated/assets/login.html           |  1 +
 service/pixelated/resources/login_resource.py |  6 ++++++
 service/pixelated/resources/session.py        | 10 ++++++++++
 3 files changed, 17 insertions(+)

(limited to 'service/pixelated')

diff --git a/service/pixelated/assets/login.html b/service/pixelated/assets/login.html
index ff103f03..c2f5e78e 100644
--- a/service/pixelated/assets/login.html
+++ b/service/pixelated/assets/login.html
@@ -18,6 +18,7 @@
 
 
         <form class="standard" id="login_form" action="/login" method="post">
+            <input t:render="csrftoken" type="hidden" name="csrftoken" id="csrftoken"><t:attr name="value"><t:slot name="csrftoken" /></t:attr></input>
             <input type="text" name="username" id="email" class="text-field" placeholder="username" tabindex="1"
                    autofocus="" />
             <input type="password" name="password" id="password" class="text-field" placeholder="password"
diff --git a/service/pixelated/resources/login_resource.py b/service/pixelated/resources/login_resource.py
index fec4307e..7d61ddce 100644
--- a/service/pixelated/resources/login_resource.py
+++ b/service/pixelated/resources/login_resource.py
@@ -107,6 +107,11 @@ class LoginWebSite(Element):
             return tag(self._error_msg)
         return tag('')
 
+    @renderer
+    def csrftoken(self, request, tag):
+        tag.fillSlots(csrftoken=IPixelatedSession(request.getSession()).get_csrf_token())
+        return tag
+
     @renderer
     def disclaimer(self, request, tag):
         return DisclaimerElement(self.disclaimer_banner_file).render(request)
@@ -140,6 +145,7 @@ class LoginResource(BaseResource):
         return NoResource()
 
     def render_GET(self, request):
+        request.getSession()
         request.setResponseCode(OK)
         return self._render_template(request)
 
diff --git a/service/pixelated/resources/session.py b/service/pixelated/resources/session.py
index 9ade8d29..0e46ad8f 100644
--- a/service/pixelated/resources/session.py
+++ b/service/pixelated/resources/session.py
@@ -13,11 +13,15 @@
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
+import hashlib
+import os
 
 from zope.interface import Interface, Attribute, implements
 from twisted.python.components import registerAdapter
 from twisted.web.server import Session
 
+CSRF_TOKEN_LENGTH = 32
+
 
 class IPixelatedSession(Interface):
     user_uuid = Attribute('The uuid of the currently logged in user')
@@ -28,6 +32,7 @@ class PixelatedSession(object):
 
     def __init__(self, session):
         self.user_uuid = None
+        self._csrf_token = None
 
     def is_logged_in(self):
         return self.user_uuid is not None
@@ -35,5 +40,10 @@ class PixelatedSession(object):
     def expire(self):
         self.user_uuid = None
 
+    def get_csrf_token(self):
+        if self._csrf_token is None:
+            self._csrf_token = hashlib.sha256(os.urandom(CSRF_TOKEN_LENGTH)).hexdigest()
+        return self._csrf_token
+
 
 registerAdapter(PixelatedSession, Session, IPixelatedSession)
-- 
cgit v1.2.3