Mercurial > libervia-web
diff libervia/server/pages.py @ 1479:095e94ca6728
pages: disable CSRF token check when service profile is used:
CSRF token check doesn't make sense when no user is logged in, and it causes trouble for
caching.
fix 400
author | Goffi <goffi@goffi.org> |
---|---|
date | Fri, 22 Oct 2021 16:04:23 +0200 |
parents | c669b5bfb8a0 |
children | 774a81a6e8b5 |
line wrap: on
line diff
--- a/libervia/server/pages.py Thu Oct 21 17:37:59 2021 +0200 +++ b/libervia/server/pages.py Fri Oct 22 16:04:23 2021 +0200 @@ -546,9 +546,14 @@ log.info(_("{page} reloaded").format(page=resource)) def checkCSRF(self, request): - csrf_token = self.host.getSessionData( + session = self.host.getSessionData( request, session_iface.ISATSession - ).csrf_token + ) + if session.profile is None: + # CSRF doesn't make sense when no user is logged + log.debug("disabling CSRF check because service profile is used") + return + csrf_token = session.csrf_token given_csrf = request.getHeader("X-Csrf-Token") if given_csrf is None: try: @@ -1809,10 +1814,13 @@ # if template_data doesn't exist, it's the beginning of the request workflow # so we fill essential data session_data = self.host.getSessionData(request, session_iface.ISATSession) + profile = session_data.profile request.template_data = { - "profile": session_data.profile, - "csrf_token": session_data.csrf_token, - "session_uuid": session_data.uuid, + "profile": profile, + # it's important to not add CSRF token and session uuid if service profile + # is used because the page may be cached, and the token then leaked + "csrf_token": "" if profile is None else session_data.csrf_token, + "session_uuid": "public" if profile is None else session_data.uuid, "breadcrumbs": [] }