YunoHost/pepettes
1
0
Fork 0
mirror of https://github.com/YunoHost/pepettes.git synced 2024-09-03 20:06:20 +02:00
Code Issues Projects Releases Packages Wiki Activity

[fix] CSRF

Browse source
This commit is contained in:
ljf 2021-02-15 05:25:55 +01:00
parent ae1cef3407
commit 69786aa3de
2 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
requirements.txt
View file

@ -11,5 +11,4 @@ requests==2.22.0
stripe==2.47.0 stripe==2.47.0
toml==0.9.6 toml==0.9.6
urllib3==1.25.3 urllib3==1.25.3
Werkzeug==1.0.1
flask-simple-csrf flask-simple-csrf

17
server.py
View file

@ -9,8 +9,10 @@ Python 3.6 or newer required.
import stripe import stripe
import json import json
import os import os
import random
import string
from flask import Flask, render_template, jsonify, request, send_from_directory from flask import Flask, render_template, jsonify, request, send_from_directory, session
from flask_simple_csrf import CSRF from flask_simple_csrf import CSRF
from dotenv import load_dotenv, find_dotenv from dotenv import load_dotenv, find_dotenv
@ -25,13 +27,16 @@ static_dir = str(os.path.abspath(os.path.join(
__file__, "..", os.getenv("STATIC_DIR")))) __file__, "..", os.getenv("STATIC_DIR"))))
app = Flask(__name__, static_folder=static_dir, app = Flask(__name__, static_folder=static_dir,
static_url_path="", template_folder=static_dir) static_url_path="", template_folder=static_dir)
CSRF = CSRF(config=os.getenv('CSRF_CONFIG')) app.secret_key = os.getenv('SECRET_KEY')
CSRF = CSRF(config={
'SECRET_CSRF_KEY':os.getenv('SECRET_CSRF_KEY')
})
app = CSRF.init_app(app) app = CSRF.init_app(app)
@app.before_request @app.before_request
def before_request(): def before_request():
if 'CSRF_TOKEN' not in session or 'USER_CSRF' not in session: if 'CSRF_TOKEN' not in session or 'USER_CSRF' not in session:
session['USER_CSRF'] = random_string(64) session['USER_CSRF'] = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(64))
session['CSRF_TOKEN'] = CSRF.create(session['USER_CSRF']) session['CSRF_TOKEN'] = CSRF.create(session['USER_CSRF'])
@app.route('/', methods=['GET']) @app.route('/', methods=['GET'])
@ -52,9 +57,9 @@ def create_checkout_session():
data = json.loads(request.data) data = json.loads(request.data)
domain_url = os.getenv('DOMAIN') domain_url = os.getenv('DOMAIN')
try: try:
if CSRF.verify(data['user_csrf'], session['CSRF_TOKEN']) is False or if CSRF.verify(data['user_csrf'], session['CSRF_TOKEN']) is False or \
data['frequency'] not in ['RECURING', 'ONE_TIME'] or data['frequency'] not in ['RECURING', 'ONE_TIME'] or \
data['currency'] not in ['EUR', 'USD'] or data['currency'] not in ['EUR', 'USD'] or \
int(data['quantity']) <= 0: int(data['quantity']) <= 0:
return jsonify(error="Bad value"), 400 return jsonify(error="Bad value"), 400