Mercurial > libervia-web
annotate src/server/session_iface.py @ 956:dabecab10faa
server (pages): impleted CSRF protection:
A basic CSRF protection has been implemented using CSRF token. The token is created on session creation, and checked on data post.
The process should be fully automatic, and a hidden field is added in forms in sat_templates when csrf_token is present in template data (require to import input/form.html with context).
If token is wrong on absent, an unauthorized error page is returned (and client ip is logged).
Also don't use anymore inlineCallbacks in _on_data_post, as StopIteration exception are catched by inlineCallbacks, resulting in bad behaviour. As a further security, getPostedDate raise a KeyError instead of StopIteration is a specific key is looked for and missing.
Added HTTP_SEE_OTHER status code in constants.
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Mon, 10 Jul 2017 19:10:31 +0200 |
| parents | 92f0eeb6dc72 |
| children | 67bf14c91d5c |
| rev | line source |
|---|---|
|
919
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
1 #!/usr/bin/python |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
2 # -*- coding: utf-8 -*- |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
3 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
4 # Libervia: a SAT frontend |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
5 # Copyright (C) 2009-2016 Jérôme Poisson (goffi@goffi.org) |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
6 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
7 # This program is free software: you can redistribute it and/or modify |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 # it under the terms of the GNU Affero General Public License as published by |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
9 # the Free Software Foundation, either version 3 of the License, or |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
10 # (at your option) any later version. |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
11 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
12 # This program is distributed in the hope that it will be useful, |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
15 # GNU Affero General Public License for more details. |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
17 # You should have received a copy of the GNU Affero General Public License |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
19 from zope.interface import Interface, Attribute, implements |
|
947
92f0eeb6dc72
pages: cache identities identities in session + get identities for comments in blog
Goffi <goffi@goffi.org>
parents:
919
diff
changeset
|
20 from sat.tools.common import data_objects |
|
919
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
21 import shortuuid |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
22 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
23 class ISATSession(Interface): |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
24 profile = Attribute("Sat profile") |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
25 jid = Attribute("JID associated with the profile") |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
26 uuid = Attribute("uuid associated with the profile session") |
|
947
92f0eeb6dc72
pages: cache identities identities in session + get identities for comments in blog
Goffi <goffi@goffi.org>
parents:
919
diff
changeset
|
27 identities = Attribute("Identities of XMPP entities") |
|
919
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
28 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
29 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 class SATSession(object): |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
31 implements(ISATSession) |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
32 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
33 def __init__(self, session): |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
34 self.profile = None |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
35 self.jid = None |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
36 self.uuid = unicode(shortuuid.uuid()) |
|
947
92f0eeb6dc72
pages: cache identities identities in session + get identities for comments in blog
Goffi <goffi@goffi.org>
parents:
919
diff
changeset
|
37 self.identities = data_objects.Identities() |
|
956
dabecab10faa
server (pages): impleted CSRF protection:
Goffi <goffi@goffi.org>
parents:
947
diff
changeset
|
38 self.csrf_token = unicode(shortuuid.uuid()) |
|
919
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
39 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
40 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
41 class ISATGuestSession(Interface): |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
42 id = Attribute("UUID of the guest") |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
43 data = Attribute("data associated with the guest") |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
44 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
45 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
46 class SATGuestSession(object): |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
47 implements(ISATGuestSession) |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
48 |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
49 def __init__(self, session): |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
50 self.id = None |
|
7b267496da1d
server: moved session interfaces to session_iface module + added SATGuestSession
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
51 self.data = None |