Mercurial > libervia-web
changeset 1479:095e94ca6728
pages: disable CSRF token check when service profile is used:
CSRF token check doesn't make sense when no user is logged in, and it causes trouble for
caching.
fix 400
author | Goffi <goffi@goffi.org> |
---|---|
date | Fri, 22 Oct 2021 16:04:23 +0200 |
parents | 10ccad665d57 |
children | e739600267cd |
files | libervia/server/constants.py libervia/server/pages.py |
diffstat | 2 files changed, 15 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/libervia/server/constants.py Thu Oct 21 17:37:59 2021 +0200 +++ b/libervia/server/constants.py Fri Oct 22 16:04:23 2021 +0200 @@ -26,7 +26,8 @@ APP_NAME_ALT = APP_NAME APP_NAME_FILE = "libervia_web" CONFIG_SECTION = APP_COMPONENT.lower() - SERVICE_PROFILE = "libervia" # the SàT profile that is used for exporting the service + # the Libervia profile that is used for public operations (when nobody is connected) + SERVICE_PROFILE = "libervia" SESSION_TIMEOUT = 7200 # Session's timeout, after that the user will be disconnected HTML_DIR = "html/"
--- a/libervia/server/pages.py Thu Oct 21 17:37:59 2021 +0200 +++ b/libervia/server/pages.py Fri Oct 22 16:04:23 2021 +0200 @@ -546,9 +546,14 @@ log.info(_("{page} reloaded").format(page=resource)) def checkCSRF(self, request): - csrf_token = self.host.getSessionData( + session = self.host.getSessionData( request, session_iface.ISATSession - ).csrf_token + ) + if session.profile is None: + # CSRF doesn't make sense when no user is logged + log.debug("disabling CSRF check because service profile is used") + return + csrf_token = session.csrf_token given_csrf = request.getHeader("X-Csrf-Token") if given_csrf is None: try: @@ -1809,10 +1814,13 @@ # if template_data doesn't exist, it's the beginning of the request workflow # so we fill essential data session_data = self.host.getSessionData(request, session_iface.ISATSession) + profile = session_data.profile request.template_data = { - "profile": session_data.profile, - "csrf_token": session_data.csrf_token, - "session_uuid": session_data.uuid, + "profile": profile, + # it's important to not add CSRF token and session uuid if service profile + # is used because the page may be cached, and the token then leaked + "csrf_token": "" if profile is None else session_data.csrf_token, + "session_uuid": "public" if profile is None else session_data.uuid, "breadcrumbs": [] }