From 770b439c8495c3a0b16550c2f04740f31646d66b Mon Sep 17 00:00:00 2001 From: Roald de Vries Date: Thu, 1 Dec 2016 10:36:29 +0100 Subject: WIP: add csrf token to every request --- service/pixelated/resources/__init__.py | 2 +- service/pixelated/resources/inbox_resource.py | 1 - service/pixelated/resources/root_resource.py | 6 +++--- 3 files changed, 4 insertions(+), 5 deletions(-) (limited to 'service/pixelated') diff --git a/service/pixelated/resources/__init__.py b/service/pixelated/resources/__init__.py index 97346a6f..023758de 100644 --- a/service/pixelated/resources/__init__.py +++ b/service/pixelated/resources/__init__.py @@ -66,7 +66,7 @@ class BaseResource(Resource): self._services_factory = services_factory def _add_csrf_cookie(self, request): - csrf_token = hashlib.sha256(os.urandom(CSRF_TOKEN_LENGTH)).hexdigest() + csrf_token = IPixelatedSession(request.getSession()).get_csrf_token() request.addCookie('XSRF-TOKEN', csrf_token) log.debug('XSRF-TOKEN added: %s' % csrf_token) diff --git a/service/pixelated/resources/inbox_resource.py b/service/pixelated/resources/inbox_resource.py index 47a3c072..f759dca9 100644 --- a/service/pixelated/resources/inbox_resource.py +++ b/service/pixelated/resources/inbox_resource.py @@ -53,7 +53,6 @@ class InboxResource(BaseResource): def render_GET(self, request): logger.debug('Inbox rendering GET. %s' % self) - self._add_csrf_cookie(request) if self._is_starting(): logger.debug('Inbox rendering interstitial. %s' % self) return self.interstitial diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py index 7d5b0b0a..1d32935b 100644 --- a/service/pixelated/resources/root_resource.py +++ b/service/pixelated/resources/root_resource.py @@ -65,6 +65,7 @@ class RootResource(BaseResource): logger.debug('Root in STARTUP mode. %s' % self) def getChildWithDefault(self, path, request): + self._add_csrf_cookie(request) if path == '': return self._redirect_to_login_resource if self._public else self._inbox_resource if self._mode == MODE_STARTUP: @@ -81,7 +82,6 @@ class RootResource(BaseResource): xsrf_token = request.getCookie('XSRF-TOKEN') logger.debug('CSRF token: %s' % xsrf_token) - # TODO: how is comparing the cookie-csrf with the HTTP-header-csrf adding any csrf protection? ajax_request = (request.getHeader('x-requested-with') == 'XMLHttpRequest') if ajax_request: xsrf_header = request.getHeader('x-xsrf-token') @@ -101,7 +101,7 @@ class RootResource(BaseResource): return self.putChildProtected(path, resource) # to be on the safe side def initialize(self, provider=None, disclaimer_banner=None, authenticator=None): - self.putChildProtected('sandbox', SandboxResource(self._static_folder)) + self.putChildPublic('sandbox', SandboxResource(self._static_folder)) self.putChildProtected('keys', KeysResource(self._services_factory)) self.putChildProtected(AttachmentsResource.BASE_URL, AttachmentsResource(self._services_factory)) self.putChildProtected('contacts', ContactsResource(self._services_factory)) @@ -114,7 +114,7 @@ class RootResource(BaseResource): self.putChildProtected('users', UsersResource(self._services_factory)) self.putChildPublic(LoginResource.BASE_URL, LoginResource(self._services_factory, provider, disclaimer_banner=disclaimer_banner, authenticator=authenticator)) - self.putChildProtected(LogoutResource.BASE_URL, LogoutResource(self._services_factory)) + self.putChildPublic(LogoutResource.BASE_URL, LogoutResource(self._services_factory)) self._inbox_resource.initialize() self._mode = MODE_RUNNING -- cgit v1.2.3