comparison libervia/server/pages.py @ 1479:095e94ca6728

pages: disable CSRF token check when service profile is used: CSRF token check doesn't make sense when no user is logged in, and it causes trouble for caching. fix 400
author Goffi <goffi@goffi.org>
date Fri, 22 Oct 2021 16:04:23 +0200
parents c669b5bfb8a0
children 774a81a6e8b5
comparison
equal deleted inserted replaced
1478:10ccad665d57 1479:095e94ca6728
544 log.info(_("{page} created").format(page=resource)) 544 log.info(_("{page} created").format(page=resource))
545 else: 545 else:
546 log.info(_("{page} reloaded").format(page=resource)) 546 log.info(_("{page} reloaded").format(page=resource))
547 547
548 def checkCSRF(self, request): 548 def checkCSRF(self, request):
549 csrf_token = self.host.getSessionData( 549 session = self.host.getSessionData(
550 request, session_iface.ISATSession 550 request, session_iface.ISATSession
551 ).csrf_token 551 )
552 if session.profile is None:
553 # CSRF doesn't make sense when no user is logged
554 log.debug("disabling CSRF check because service profile is used")
555 return
556 csrf_token = session.csrf_token
552 given_csrf = request.getHeader("X-Csrf-Token") 557 given_csrf = request.getHeader("X-Csrf-Token")
553 if given_csrf is None: 558 if given_csrf is None:
554 try: 559 try:
555 given_csrf = self.getPostedData(request, "csrf_token") 560 given_csrf = self.getPostedData(request, "csrf_token")
556 except KeyError: 561 except KeyError:
1807 # template_data are the variables passed to template 1812 # template_data are the variables passed to template
1808 if not hasattr(request, "template_data"): 1813 if not hasattr(request, "template_data"):
1809 # if template_data doesn't exist, it's the beginning of the request workflow 1814 # if template_data doesn't exist, it's the beginning of the request workflow
1810 # so we fill essential data 1815 # so we fill essential data
1811 session_data = self.host.getSessionData(request, session_iface.ISATSession) 1816 session_data = self.host.getSessionData(request, session_iface.ISATSession)
1817 profile = session_data.profile
1812 request.template_data = { 1818 request.template_data = {
1813 "profile": session_data.profile, 1819 "profile": profile,
1814 "csrf_token": session_data.csrf_token, 1820 # it's important to not add CSRF token and session uuid if service profile
1815 "session_uuid": session_data.uuid, 1821 # is used because the page may be cached, and the token then leaked
1822 "csrf_token": "" if profile is None else session_data.csrf_token,
1823 "session_uuid": "public" if profile is None else session_data.uuid,
1816 "breadcrumbs": [] 1824 "breadcrumbs": []
1817 } 1825 }
1818 1826
1819 # XXX: here is the code which need to be executed once 1827 # XXX: here is the code which need to be executed once
1820 # at the beginning of the request hanling 1828 # at the beginning of the request hanling