diff libervia/server/pages.py @ 1479:095e94ca6728

pages: disable CSRF token check when service profile is used: CSRF token check doesn't make sense when no user is logged in, and it causes trouble for caching. fix 400
author Goffi <goffi@goffi.org>
date Fri, 22 Oct 2021 16:04:23 +0200
parents c669b5bfb8a0
children 774a81a6e8b5
line wrap: on
line diff
--- a/libervia/server/pages.py	Thu Oct 21 17:37:59 2021 +0200
+++ b/libervia/server/pages.py	Fri Oct 22 16:04:23 2021 +0200
@@ -546,9 +546,14 @@
                     log.info(_("{page} reloaded").format(page=resource))
 
     def checkCSRF(self, request):
-        csrf_token = self.host.getSessionData(
+        session = self.host.getSessionData(
             request, session_iface.ISATSession
-        ).csrf_token
+        )
+        if session.profile is None:
+            # CSRF doesn't make sense when no user is logged
+            log.debug("disabling CSRF check because service profile is used")
+            return
+        csrf_token = session.csrf_token
         given_csrf = request.getHeader("X-Csrf-Token")
         if given_csrf is None:
             try:
@@ -1809,10 +1814,13 @@
             # if template_data doesn't exist, it's the beginning of the request workflow
             # so we fill essential data
             session_data = self.host.getSessionData(request, session_iface.ISATSession)
+            profile = session_data.profile
             request.template_data = {
-                "profile": session_data.profile,
-                "csrf_token": session_data.csrf_token,
-                "session_uuid": session_data.uuid,
+                "profile": profile,
+                # it's important to not add CSRF token and session uuid if service profile
+                # is used because the page may be cached, and the token then leaked
+                "csrf_token": "" if profile is None else session_data.csrf_token,
+                "session_uuid": "public" if profile is None else session_data.uuid,
                 "breadcrumbs": []
             }