Mercurial > libervia-web

view src/server/session_iface.py @ 956:dabecab10faa

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
server (pages): impleted CSRF protection: A basic CSRF protection has been implemented using CSRF token. The token is created on session creation, and checked on data post. The process should be fully automatic, and a hidden field is added in forms in sat_templates when csrf_token is present in template data (require to import input/form.html with context). If token is wrong on absent, an unauthorized error page is returned (and client ip is logged). Also don't use anymore inlineCallbacks in _on_data_post, as StopIteration exception are catched by inlineCallbacks, resulting in bad behaviour. As a further security, getPostedDate raise a KeyError instead of StopIteration is a specific key is looked for and missing. Added HTTP_SEE_OTHER status code in constants.
author Goffi <goffi@goffi.org>
date Mon, 10 Jul 2017 19:10:31 +0200
parents 92f0eeb6dc72
children 67bf14c91d5c
line wrap: on
line source

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Libervia: a SAT frontend
# Copyright (C) 2009-2016 Jérôme Poisson (goffi@goffi.org)

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.

# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
from zope.interface import Interface, Attribute, implements
from sat.tools.common import data_objects
import shortuuid

class ISATSession(Interface):
    profile = Attribute("Sat profile")
    jid = Attribute("JID associated with the profile")
    uuid = Attribute("uuid associated with the profile session")
    identities = Attribute("Identities of XMPP entities")


class SATSession(object):
    implements(ISATSession)

    def __init__(self, session):
        self.profile = None
        self.jid = None
        self.uuid = unicode(shortuuid.uuid())
        self.identities = data_objects.Identities()
        self.csrf_token = unicode(shortuuid.uuid())


class ISATGuestSession(Interface):
    id = Attribute("UUID of the guest")
    data = Attribute("data associated with the guest")


class SATGuestSession(object):
    implements(ISATGuestSession)

    def __init__(self, session):
        self.id = None
        self.data = None