From ae1cef3407f3a3df9a055148d01e18617ed8e373 Mon Sep 17 00:00:00 2001 From: ljf Date: Mon, 15 Feb 2021 05:10:36 +0100 Subject: [PATCH] [wip] CSRF --- README.md | 1 + assets/index.js | 1 + requirements.txt | 1 + server.py | 13 ++++++++++++- 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 630e763..eccf0d7 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ DEBUG=True PROJECT_NAME=YunoHost DOMAIN=http://localhost:8000 STATIC_DIR=assets +SECRET_CSRF_KEY=TO_CHANGE # Stripe keys STRIPE_PUBLISHABLE_KEY=pk_test_gOgGjacs9YfvDJY03BRZ576O diff --git a/assets/index.js b/assets/index.js index a3eb997..c97a962 100644 --- a/assets/index.js +++ b/assets/index.js @@ -27,6 +27,7 @@ submitBtn.addEventListener('click', function (evt) { 'Content-Type': 'application/json', }, body: JSON.stringify({ + user_csrf: window.config.csrf, quantity: quantity, currency: currency, frequency: frequency diff --git a/requirements.txt b/requirements.txt index eead772..2585fb6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -12,3 +12,4 @@ stripe==2.47.0 toml==0.9.6 urllib3==1.25.3 Werkzeug==1.0.1 +flask-simple-csrf diff --git a/server.py b/server.py index f8529e9..e464d56 100644 --- a/server.py +++ b/server.py @@ -11,8 +11,10 @@ import json import os from flask import Flask, render_template, jsonify, request, send_from_directory +from flask_simple_csrf import CSRF from dotenv import load_dotenv, find_dotenv + # Setup Stripe python client library. load_dotenv(find_dotenv()) @@ -23,7 +25,14 @@ static_dir = str(os.path.abspath(os.path.join( __file__, "..", os.getenv("STATIC_DIR")))) app = Flask(__name__, static_folder=static_dir, static_url_path="", template_folder=static_dir) +CSRF = CSRF(config=os.getenv('CSRF_CONFIG')) +app = CSRF.init_app(app) +@app.before_request +def before_request(): + if 'CSRF_TOKEN' not in session or 'USER_CSRF' not in session: + session['USER_CSRF'] = random_string(64) + session['CSRF_TOKEN'] = CSRF.create(session['USER_CSRF']) @app.route('/', methods=['GET']) def get_index(): @@ -35,6 +44,7 @@ def get_publishable_key(): return jsonify({ 'publicKey': os.getenv('STRIPE_PUBLISHABLE_KEY'), 'name': os.getenv('PROJECT_NAME'), + 'csrf': session['USER_CSRF'], }) @app.route('/create-checkout-session', methods=['POST']) @@ -42,7 +52,8 @@ def create_checkout_session(): data = json.loads(request.data) domain_url = os.getenv('DOMAIN') try: - if data['frequency'] not in ['RECURING', 'ONE_TIME'] or + if CSRF.verify(data['user_csrf'], session['CSRF_TOKEN']) is False or + data['frequency'] not in ['RECURING', 'ONE_TIME'] or data['currency'] not in ['EUR', 'USD'] or int(data['quantity']) <= 0: return jsonify(error="Bad value"), 400