mirror of
https://github.com/YunoHost/pepettes.git
synced 2024-09-03 20:06:20 +02:00
[wip] CSRF
This commit is contained in:
ljf
parent
3537d2dc84
commit
ae1cef3407
4 changed files with 15 additions and 1 deletions
|
|
@ -29,6 +29,7 @@ DEBUG=True
|
||||||
PROJECT_NAME=YunoHost
|
PROJECT_NAME=YunoHost
|
||||||
DOMAIN=http://localhost:8000
|
DOMAIN=http://localhost:8000
|
||||||
STATIC_DIR=assets
|
STATIC_DIR=assets
|
||||||
|
SECRET_CSRF_KEY=TO_CHANGE
|
||||||
|
|
||||||
# Stripe keys
|
# Stripe keys
|
||||||
STRIPE_PUBLISHABLE_KEY=pk_test_gOgGjacs9YfvDJY03BRZ576O
|
STRIPE_PUBLISHABLE_KEY=pk_test_gOgGjacs9YfvDJY03BRZ576O
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,7 @@ submitBtn.addEventListener('click', function (evt) {
|
||||||
'Content-Type': 'application/json',
|
'Content-Type': 'application/json',
|
||||||
},
|
},
|
||||||
body: JSON.stringify({
|
body: JSON.stringify({
|
||||||
|
user_csrf: window.config.csrf,
|
||||||
quantity: quantity,
|
quantity: quantity,
|
||||||
currency: currency,
|
currency: currency,
|
||||||
frequency: frequency
|
frequency: frequency
|
||||||
|
|
|
||||||
|
|
@ -12,3 +12,4 @@ stripe==2.47.0
|
||||||
toml==0.9.6
|
toml==0.9.6
|
||||||
urllib3==1.25.3
|
urllib3==1.25.3
|
||||||
Werkzeug==1.0.1
|
Werkzeug==1.0.1
|
||||||
|
flask-simple-csrf
|
||||||
|
|
|
||||||
13
server.py
13
server.py
|
|
@ -11,8 +11,10 @@ import json
|
||||||
import os
|
import os
|
||||||
|
|
||||||
from flask import Flask, render_template, jsonify, request, send_from_directory
|
from flask import Flask, render_template, jsonify, request, send_from_directory
|
||||||
|
from flask_simple_csrf import CSRF
|
||||||
from dotenv import load_dotenv, find_dotenv
|
from dotenv import load_dotenv, find_dotenv
|
||||||
|
|
||||||
|
|
||||||
# Setup Stripe python client library.
|
# Setup Stripe python client library.
|
||||||
load_dotenv(find_dotenv())
|
load_dotenv(find_dotenv())
|
||||||
|
|
||||||
|
|
@ -23,7 +25,14 @@ static_dir = str(os.path.abspath(os.path.join(
|
||||||
__file__, "..", os.getenv("STATIC_DIR"))))
|
__file__, "..", os.getenv("STATIC_DIR"))))
|
||||||
app = Flask(__name__, static_folder=static_dir,
|
app = Flask(__name__, static_folder=static_dir,
|
||||||
static_url_path="", template_folder=static_dir)
|
static_url_path="", template_folder=static_dir)
|
||||||
|
CSRF = CSRF(config=os.getenv('CSRF_CONFIG'))
|
||||||
|
app = CSRF.init_app(app)
|
||||||
|
|
||||||
|
@app.before_request
|
||||||
|
def before_request():
|
||||||
|
if 'CSRF_TOKEN' not in session or 'USER_CSRF' not in session:
|
||||||
|
session['USER_CSRF'] = random_string(64)
|
||||||
|
session['CSRF_TOKEN'] = CSRF.create(session['USER_CSRF'])
|
||||||
|
|
||||||
@app.route('/', methods=['GET'])
|
@app.route('/', methods=['GET'])
|
||||||
def get_index():
|
def get_index():
|
||||||
|
|
@ -35,6 +44,7 @@ def get_publishable_key():
|
||||||
return jsonify({
|
return jsonify({
|
||||||
'publicKey': os.getenv('STRIPE_PUBLISHABLE_KEY'),
|
'publicKey': os.getenv('STRIPE_PUBLISHABLE_KEY'),
|
||||||
'name': os.getenv('PROJECT_NAME'),
|
'name': os.getenv('PROJECT_NAME'),
|
||||||
|
'csrf': session['USER_CSRF'],
|
||||||
})
|
})
|
||||||
|
|
||||||
@app.route('/create-checkout-session', methods=['POST'])
|
@app.route('/create-checkout-session', methods=['POST'])
|
||||||
|
|
@ -42,7 +52,8 @@ def create_checkout_session():
|
||||||
data = json.loads(request.data)
|
data = json.loads(request.data)
|
||||||
domain_url = os.getenv('DOMAIN')
|
domain_url = os.getenv('DOMAIN')
|
||||||
try:
|
try:
|
||||||
if data['frequency'] not in ['RECURING', 'ONE_TIME'] or
|
if CSRF.verify(data['user_csrf'], session['CSRF_TOKEN']) is False or
|
||||||
|
data['frequency'] not in ['RECURING', 'ONE_TIME'] or
|
||||||
data['currency'] not in ['EUR', 'USD'] or
|
data['currency'] not in ['EUR', 'USD'] or
|
||||||
int(data['quantity']) <= 0:
|
int(data['quantity']) <= 0:
|
||||||
return jsonify(error="Bad value"), 400
|
return jsonify(error="Bad value"), 400
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue