[wip] CSRF

This commit is contained in:
ljf 2021-02-15 05:10:36 +01:00
parent 3537d2dc84
commit ae1cef3407
4 changed files with 15 additions and 1 deletions

View file

@ -29,6 +29,7 @@ DEBUG=True
PROJECT_NAME=YunoHost PROJECT_NAME=YunoHost
DOMAIN=http://localhost:8000 DOMAIN=http://localhost:8000
STATIC_DIR=assets STATIC_DIR=assets
SECRET_CSRF_KEY=TO_CHANGE
# Stripe keys # Stripe keys
STRIPE_PUBLISHABLE_KEY=pk_test_gOgGjacs9YfvDJY03BRZ576O STRIPE_PUBLISHABLE_KEY=pk_test_gOgGjacs9YfvDJY03BRZ576O

View file

@ -27,6 +27,7 @@ submitBtn.addEventListener('click', function (evt) {
'Content-Type': 'application/json', 'Content-Type': 'application/json',
}, },
body: JSON.stringify({ body: JSON.stringify({
user_csrf: window.config.csrf,
quantity: quantity, quantity: quantity,
currency: currency, currency: currency,
frequency: frequency frequency: frequency

View file

@ -12,3 +12,4 @@ stripe==2.47.0
toml==0.9.6 toml==0.9.6
urllib3==1.25.3 urllib3==1.25.3
Werkzeug==1.0.1 Werkzeug==1.0.1
flask-simple-csrf

View file

@ -11,8 +11,10 @@ import json
import os import os
from flask import Flask, render_template, jsonify, request, send_from_directory from flask import Flask, render_template, jsonify, request, send_from_directory
from flask_simple_csrf import CSRF
from dotenv import load_dotenv, find_dotenv from dotenv import load_dotenv, find_dotenv
# Setup Stripe python client library. # Setup Stripe python client library.
load_dotenv(find_dotenv()) load_dotenv(find_dotenv())
@ -23,7 +25,14 @@ static_dir = str(os.path.abspath(os.path.join(
__file__, "..", os.getenv("STATIC_DIR")))) __file__, "..", os.getenv("STATIC_DIR"))))
app = Flask(__name__, static_folder=static_dir, app = Flask(__name__, static_folder=static_dir,
static_url_path="", template_folder=static_dir) static_url_path="", template_folder=static_dir)
CSRF = CSRF(config=os.getenv('CSRF_CONFIG'))
app = CSRF.init_app(app)
@app.before_request
def before_request():
if 'CSRF_TOKEN' not in session or 'USER_CSRF' not in session:
session['USER_CSRF'] = random_string(64)
session['CSRF_TOKEN'] = CSRF.create(session['USER_CSRF'])
@app.route('/', methods=['GET']) @app.route('/', methods=['GET'])
def get_index(): def get_index():
@ -35,6 +44,7 @@ def get_publishable_key():
return jsonify({ return jsonify({
'publicKey': os.getenv('STRIPE_PUBLISHABLE_KEY'), 'publicKey': os.getenv('STRIPE_PUBLISHABLE_KEY'),
'name': os.getenv('PROJECT_NAME'), 'name': os.getenv('PROJECT_NAME'),
'csrf': session['USER_CSRF'],
}) })
@app.route('/create-checkout-session', methods=['POST']) @app.route('/create-checkout-session', methods=['POST'])
@ -42,7 +52,8 @@ def create_checkout_session():
data = json.loads(request.data) data = json.loads(request.data)
domain_url = os.getenv('DOMAIN') domain_url = os.getenv('DOMAIN')
try: try:
if data['frequency'] not in ['RECURING', 'ONE_TIME'] or if CSRF.verify(data['user_csrf'], session['CSRF_TOKEN']) is False or
data['frequency'] not in ['RECURING', 'ONE_TIME'] or
data['currency'] not in ['EUR', 'USD'] or data['currency'] not in ['EUR', 'USD'] or
int(data['quantity']) <= 0: int(data['quantity']) <= 0:
return jsonify(error="Bad value"), 400 return jsonify(error="Bad value"), 400