Removed custom CSRF handling code
authorThierry Florac <thierry.florac@onf.fr>
Thu, 14 Dec 2017 12:19:56 +0100
changeset 103 cd0086f5b00b
parent 102 44393819638c
child 104 e1552515151e
Removed custom CSRF handling code
src/pyams_security/csrf.py
--- a/src/pyams_security/csrf.py	Thu Dec 14 12:19:33 2017 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-#
-# Copyright (c) 2008-2015 Thierry Florac <tflorac AT ulthar.net>
-# All Rights Reserved.
-#
-# This software is subject to the provisions of the Zope Public License,
-# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
-# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
-# FOR A PARTICULAR PURPOSE.
-#
-
-__docformat__ = 'restructuredtext'
-
-
-# import standard library
-
-# import interfaces
-from pyramid.interfaces import INewRequest, INewResponse
-
-# import packages
-from pyramid.events import subscriber
-from pyramid.exceptions import BadCSRFToken
-from pyramid.session import check_csrf_origin
-from pyramid.util import strings_differ
-
-
-CSRF_TOKEN_COOKIE_NAME = 'csrf_token'
-
-
-@subscriber(INewRequest)
-def handle_new_request(event):
-    """Handle any request with CSRF token cookie"""
-    request = event.request
-    if (request.method == 'POST') or request.is_xhr:
-        check_csrf_origin(request)
-        post_token = request.cookies.get(CSRF_TOKEN_COOKIE_NAME)
-        session_token = request.session.get_csrf_token()
-        if (not post_token) or strings_differ(post_token, session_token):
-            raise BadCSRFToken('Invalid CSRF token')
-
-
-@subscriber(INewResponse)
-def handle_new_response(event):
-    """Handle new response to manage CSRF token cookie"""
-    request = event.request
-    if not request.path.startswith('/--static--/'):
-        token = request.session.get_csrf_token()
-        event.response.set_cookie(CSRF_TOKEN_COOKIE_NAME, token,
-                                  secure=request.scheme == 'https',
-                                  httponly=True)