Mercurial > libervia-web

changeset 1479:095e94ca6728

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
pages: disable CSRF token check when service profile is used: CSRF token check doesn't make sense when no user is logged in, and it causes trouble for caching. fix 400
author Goffi <goffi@goffi.org>
date Fri, 22 Oct 2021 16:04:23 +0200
parents 10ccad665d57
children e739600267cd
files libervia/server/constants.py libervia/server/pages.py
diffstat 2 files changed, 15 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/libervia/server/constants.py	Thu Oct 21 17:37:59 2021 +0200
+++ b/libervia/server/constants.py	Fri Oct 22 16:04:23 2021 +0200
@@ -26,7 +26,8 @@
     APP_NAME_ALT = APP_NAME
     APP_NAME_FILE = "libervia_web"
     CONFIG_SECTION = APP_COMPONENT.lower()
-    SERVICE_PROFILE = "libervia"  # the SàT profile that is used for exporting the service
+    # the Libervia profile that is used for public operations (when nobody is connected)
+    SERVICE_PROFILE = "libervia"
 
     SESSION_TIMEOUT = 7200  # Session's timeout, after that the user will be disconnected
     HTML_DIR = "html/"
--- a/libervia/server/pages.py	Thu Oct 21 17:37:59 2021 +0200
+++ b/libervia/server/pages.py	Fri Oct 22 16:04:23 2021 +0200
@@ -546,9 +546,14 @@
                     log.info(_("{page} reloaded").format(page=resource))
 
     def checkCSRF(self, request):
-        csrf_token = self.host.getSessionData(
+        session = self.host.getSessionData(
             request, session_iface.ISATSession
-        ).csrf_token
+        )
+        if session.profile is None:
+            # CSRF doesn't make sense when no user is logged
+            log.debug("disabling CSRF check because service profile is used")
+            return
+        csrf_token = session.csrf_token
         given_csrf = request.getHeader("X-Csrf-Token")
         if given_csrf is None:
             try:
@@ -1809,10 +1814,13 @@
             # if template_data doesn't exist, it's the beginning of the request workflow
             # so we fill essential data
             session_data = self.host.getSessionData(request, session_iface.ISATSession)
+            profile = session_data.profile
             request.template_data = {
-                "profile": session_data.profile,
-                "csrf_token": session_data.csrf_token,
-                "session_uuid": session_data.uuid,
+                "profile": profile,
+                # it's important to not add CSRF token and session uuid if service profile
+                # is used because the page may be cached, and the token then leaked
+                "csrf_token": "" if profile is None else session_data.csrf_token,
+                "session_uuid": "public" if profile is None else session_data.uuid,
                 "breadcrumbs": []
             }