Added CSRF token cookie in every server response, with validation in every POST or AJAX request
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/pyams_security/csrf.py Thu Sep 28 15:02:44 2017 +0200
@@ -0,0 +1,51 @@
+#
+# Copyright (c) 2008-2015 Thierry Florac <tflorac AT ulthar.net>
+# All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE.
+#
+
+__docformat__ = 'restructuredtext'
+
+
+# import standard library
+
+# import interfaces
+from pyramid.interfaces import INewRequest, INewResponse
+
+# import packages
+from pyramid.events import subscriber
+from pyramid.exceptions import BadCSRFToken
+from pyramid.session import check_csrf_origin
+from pyramid.util import strings_differ
+
+
+CSRF_TOKEN_COOKIE_NAME = 'csrf_token'
+
+
+@subscriber(INewRequest)
+def handle_new_request(event):
+ """Handle any request with CSRF token cookie"""
+ request = event.request
+ if (request.method == 'POST') or request.is_xhr:
+ check_csrf_origin(request)
+ post_token = request.cookies.get(CSRF_TOKEN_COOKIE_NAME)
+ session_token = request.session.get_csrf_token()
+ if (not post_token) or strings_differ(post_token, session_token):
+ raise BadCSRFToken('Invalid CSRF token')
+
+
+@subscriber(INewResponse)
+def handle_new_response(event):
+ """Handle new response to manage CSRF token cookie"""
+ request = event.request
+ if not request.path.startswith('/--static--/'):
+ token = request.session.get_csrf_token()
+ event.response.set_cookie(CSRF_TOKEN_COOKIE_NAME, token,
+ secure=request.scheme == 'https',
+ httponly=True)