YunoHost/pepettes
1
0
Fork 0
mirror of https://github.com/YunoHost/pepettes.git synced 2024-09-03 20:06:20 +02:00
Code Issues Projects Releases Packages Wiki Activity

[wip] CSRF

Browse source
This commit is contained in:
ljf 2021-02-15 05:10:36 +01:00
parent 3537d2dc84
commit ae1cef3407
4 changed files with 15 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -29,6 +29,7 @@ DEBUG=True
PROJECT_NAME=YunoHost
DOMAIN=http://localhost:8000
STATIC_DIR=assets
SECRET_CSRF_KEY=TO_CHANGE
# Stripe keys
STRIPE_PUBLISHABLE_KEY=pk_test_gOgGjacs9YfvDJY03BRZ576O

1
assets/index.js
View file

@ -27,6 +27,7 @@ submitBtn.addEventListener('click', function (evt) {
'Content-Type': 'application/json',
},
body: JSON.stringify({
user_csrf: window.config.csrf,
quantity: quantity,
currency: currency,
frequency: frequency

1
requirements.txt
View file

@ -12,3 +12,4 @@ stripe==2.47.0
toml==0.9.6
urllib3==1.25.3
Werkzeug==1.0.1
flask-simple-csrf

13
server.py
View file

@ -11,8 +11,10 @@ import json
import os
from flask import Flask, render_template, jsonify, request, send_from_directory
from flask_simple_csrf import CSRF
from dotenv import load_dotenv, find_dotenv
# Setup Stripe python client library.
load_dotenv(find_dotenv())
@ -23,7 +25,14 @@ static_dir = str(os.path.abspath(os.path.join(
__file__, "..", os.getenv("STATIC_DIR"))))
app = Flask(__name__, static_folder=static_dir,
static_url_path="", template_folder=static_dir)
CSRF = CSRF(config=os.getenv('CSRF_CONFIG'))
app = CSRF.init_app(app)
@app.before_request
def before_request():
if 'CSRF_TOKEN' not in session or 'USER_CSRF' not in session:
session['USER_CSRF'] = random_string(64)
session['CSRF_TOKEN'] = CSRF.create(session['USER_CSRF'])
@app.route('/', methods=['GET'])
def get_index():
@ -35,6 +44,7 @@ def get_publishable_key():
return jsonify({
'publicKey': os.getenv('STRIPE_PUBLISHABLE_KEY'),
'name': os.getenv('PROJECT_NAME'),
'csrf': session['USER_CSRF'],
})
@app.route('/create-checkout-session', methods=['POST'])
@ -42,7 +52,8 @@ def create_checkout_session():
data = json.loads(request.data)
domain_url = os.getenv('DOMAIN')
try:
if data['frequency'] not in ['RECURING', 'ONE_TIME'] or
if CSRF.verify(data['user_csrf'], session['CSRF_TOKEN']) is False or
data['frequency'] not in ['RECURING', 'ONE_TIME'] or
data['currency'] not in ['EUR', 'USD'] or
int(data['quantity']) <= 0:
return jsonify(error="Bad value"), 400