mirror of
https://github.com/YunoHost/pepettes.git
synced 2024-09-03 20:06:20 +02:00
[wip] CSRF
This commit is contained in:
ljf
parent
3537d2dc84
commit
ae1cef3407
4 changed files with 15 additions and 1 deletions
|
|
@ -29,6 +29,7 @@ DEBUG=True
|
|||
PROJECT_NAME=YunoHost
|
||||
DOMAIN=http://localhost:8000
|
||||
STATIC_DIR=assets
|
||||
SECRET_CSRF_KEY=TO_CHANGE
|
||||
|
||||
# Stripe keys
|
||||
STRIPE_PUBLISHABLE_KEY=pk_test_gOgGjacs9YfvDJY03BRZ576O
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ submitBtn.addEventListener('click', function (evt) {
|
|||
'Content-Type': 'application/json',
|
||||
},
|
||||
body: JSON.stringify({
|
||||
user_csrf: window.config.csrf,
|
||||
quantity: quantity,
|
||||
currency: currency,
|
||||
frequency: frequency
|
||||
|
|
|
|||
|
|
@ -12,3 +12,4 @@ stripe==2.47.0
|
|||
toml==0.9.6
|
||||
urllib3==1.25.3
|
||||
Werkzeug==1.0.1
|
||||
flask-simple-csrf
|
||||
|
|
|
|||
13
server.py
13
server.py
|
|
@ -11,8 +11,10 @@ import json
|
|||
import os
|
||||
|
||||
from flask import Flask, render_template, jsonify, request, send_from_directory
|
||||
from flask_simple_csrf import CSRF
|
||||
from dotenv import load_dotenv, find_dotenv
|
||||
|
||||
|
||||
# Setup Stripe python client library.
|
||||
load_dotenv(find_dotenv())
|
||||
|
||||
|
|
@ -23,7 +25,14 @@ static_dir = str(os.path.abspath(os.path.join(
|
|||
__file__, "..", os.getenv("STATIC_DIR"))))
|
||||
app = Flask(__name__, static_folder=static_dir,
|
||||
static_url_path="", template_folder=static_dir)
|
||||
CSRF = CSRF(config=os.getenv('CSRF_CONFIG'))
|
||||
app = CSRF.init_app(app)
|
||||
|
||||
@app.before_request
|
||||
def before_request():
|
||||
if 'CSRF_TOKEN' not in session or 'USER_CSRF' not in session:
|
||||
session['USER_CSRF'] = random_string(64)
|
||||
session['CSRF_TOKEN'] = CSRF.create(session['USER_CSRF'])
|
||||
|
||||
@app.route('/', methods=['GET'])
|
||||
def get_index():
|
||||
|
|
@ -35,6 +44,7 @@ def get_publishable_key():
|
|||
return jsonify({
|
||||
'publicKey': os.getenv('STRIPE_PUBLISHABLE_KEY'),
|
||||
'name': os.getenv('PROJECT_NAME'),
|
||||
'csrf': session['USER_CSRF'],
|
||||
})
|
||||
|
||||
@app.route('/create-checkout-session', methods=['POST'])
|
||||
|
|
@ -42,7 +52,8 @@ def create_checkout_session():
|
|||
data = json.loads(request.data)
|
||||
domain_url = os.getenv('DOMAIN')
|
||||
try:
|
||||
if data['frequency'] not in ['RECURING', 'ONE_TIME'] or
|
||||
if CSRF.verify(data['user_csrf'], session['CSRF_TOKEN']) is False or
|
||||
data['frequency'] not in ['RECURING', 'ONE_TIME'] or
|
||||
data['currency'] not in ['EUR', 'USD'] or
|
||||
int(data['quantity']) <= 0:
|
||||
return jsonify(error="Bad value"), 400
|
||||
|
|
|
|||
Loading…
Reference in a new issue