--- a/src/pyams_security/csrf.py Thu Dec 14 12:19:33 2017 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-#
-# Copyright (c) 2008-2015 Thierry Florac <tflorac AT ulthar.net>
-# All Rights Reserved.
-#
-# This software is subject to the provisions of the Zope Public License,
-# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
-# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
-# FOR A PARTICULAR PURPOSE.
-#
-
-__docformat__ = 'restructuredtext'
-
-
-# import standard library
-
-# import interfaces
-from pyramid.interfaces import INewRequest, INewResponse
-
-# import packages
-from pyramid.events import subscriber
-from pyramid.exceptions import BadCSRFToken
-from pyramid.session import check_csrf_origin
-from pyramid.util import strings_differ
-
-
-CSRF_TOKEN_COOKIE_NAME = 'csrf_token'
-
-
-@subscriber(INewRequest)
-def handle_new_request(event):
- """Handle any request with CSRF token cookie"""
- request = event.request
- if (request.method == 'POST') or request.is_xhr:
- check_csrf_origin(request)
- post_token = request.cookies.get(CSRF_TOKEN_COOKIE_NAME)
- session_token = request.session.get_csrf_token()
- if (not post_token) or strings_differ(post_token, session_token):
- raise BadCSRFToken('Invalid CSRF token')
-
-
-@subscriber(INewResponse)
-def handle_new_response(event):
- """Handle new response to manage CSRF token cookie"""
- request = event.request
- if not request.path.startswith('/--static--/'):
- token = request.session.get_csrf_token()
- event.response.set_cookie(CSRF_TOKEN_COOKIE_NAME, token,
- secure=request.scheme == 'https',
- httponly=True)