anti-csrf

2024-09-30 21:29:31 +02:00 · 2020-03-17 02:10:47 +00:00 · 2020-03-17 02:10:47 +00:00 · 1e7477dd96
commit 1e7477dd96
parent 873bd1a73e
4 changed files with 8 additions and 2 deletions
--- a/app.py
+++ b/app.py
@ -14,6 +14,7 @@ from functools import wraps
 from flask import Flask, g, jsonify, render_template, request, abort, redirect, session, flash
 from flask_caching import Cache
 from flask_session import Session
+from flask_wtf.csrf import CSRFProtect, generate_csrf
 from ffmpy import FFmpeg
 from pymongo import MongoClient

@ -26,6 +27,7 @@ app.config['SESSION_COOKIE_HTTPONLY'] = False
 app.cache = Cache(app, config=config.REDIS)
 sess = Session()
 sess.init_app(app)
+csrf = CSRFProtect(app)

 db = client[config.MONGO['database']]
 db.users.create_index('username', unique=True)
@ -106,6 +108,7 @@ def get_config():
        config_out['assets_baseurl'] = ''.join([request.host_url, 'assets']) + '/'

    config_out['_version'] = get_version()
+    config_out['_csrf_token'] = generate_csrf()
    return config_out


@ -126,7 +129,6 @@ def get_version():


@app.route('/')
-@app.cache.cached(timeout=15)
 def route_index():
    version = get_version()
    return render_template('index.html', version=version, config=get_config())
--- a/public/src/js/account.js
+++ b/public/src/js/account.js
@ -423,6 +423,7 @@ class Account{
 			})
 			if(obj){
 				request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
+				request.setRequestHeader("X-CSRFToken", gameConfig._csrf_token)
 				request.send(JSON.stringify(obj))
 			}else{
 				request.send()
--- a/templates/admin_song_detail.html
+++ b/templates/admin_song_detail.html
@ -6,6 +6,7 @@
 {% endfor %}
 <div class="song-form">
    <form method="post">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">

        <div class="form-field">
            <span class="checkbox"><input type="checkbox" name="enabled" id="enabled"{% if song.enabled %} checked{% endif %}{% if admin.user_level < 100 %} disabled {% endif %}><label for="enabled"> Enabled</label></span>
@ -124,6 +125,7 @@
    </form>
    {% if admin.user_level >= 100 %}
    <form class="delete-song" method="post" action="/admin/songs/{{song.id}}/delete" onsubmit="return confirm('Are you sure you wish to delete this song?');">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
        <button type="submit">Delete song</button>
    </form>
    {% endif %}
--- a/templates/admin_song_new.html
+++ b/templates/admin_song_new.html
@ -6,9 +6,10 @@
 {% endfor %}
 <div class="song-form">
    <form method="post">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">

        <div class="form-field">
-            <span class="checkbox"><input type="checkbox" name="enabled" id="enabled" checked><label for="enabled"> Enabled</label></span>
+            <span class="checkbox"><input type="checkbox" name="enabled" id="enabled"><label for="enabled"> Enabled</label></span>
        </div>

        <div class="form-field">