Skip to content

T
Taiko Web
Commit 1e7477dd authored by Bui's avatar Bui
Browse files
Options

anti-csrf

parent 873bd1a7
Hide whitespace changes
Inline Side-by-side
Showing with 8 additions and 2 deletions
app.py
View file @ 1e7477dd
...@@ -14,6 +14,7 @@ from functools import wraps ...@@ -14,6 +14,7 @@ from functools import wraps
from flask import Flask, g, jsonify, render_template, request, abort, redirect, session, flash from flask import Flask, g, jsonify, render_template, request, abort, redirect, session, flash
from flask_caching import Cache from flask_caching import Cache
from flask_session import Session from flask_session import Session
from flask_wtf.csrf import CSRFProtect, generate_csrf
from ffmpy import FFmpeg from ffmpy import FFmpeg
from pymongo import MongoClient from pymongo import MongoClient
...@@ -26,6 +27,7 @@ app.config['SESSION_COOKIE_HTTPONLY'] = False ...@@ -26,6 +27,7 @@ app.config['SESSION_COOKIE_HTTPONLY'] = False
app.cache = Cache(app, config=config.REDIS) app.cache = Cache(app, config=config.REDIS)
sess = Session() sess = Session()
sess.init_app(app) sess.init_app(app)
csrf = CSRFProtect(app)
db = client[config.MONGO['database']] db = client[config.MONGO['database']]
db.users.create_index('username', unique=True) db.users.create_index('username', unique=True)
...@@ -106,6 +108,7 @@ def get_config(): ...@@ -106,6 +108,7 @@ def get_config():
config_out['assets_baseurl'] = ''.join([request.host_url, 'assets']) + '/' config_out['assets_baseurl'] = ''.join([request.host_url, 'assets']) + '/'
config_out['_version'] = get_version() config_out['_version'] = get_version()
config_out['_csrf_token'] = generate_csrf()
return config_out return config_out
...@@ -126,7 +129,6 @@ def get_version(): ...@@ -126,7 +129,6 @@ def get_version():
@app.route('/') @app.route('/')
@app.cache.cached(timeout=15)
def route_index(): def route_index():
version = get_version() version = get_version()
return render_template('index.html', version=version, config=get_config()) return render_template('index.html', version=version, config=get_config())
......
public/src/js/account.js
View file @ 1e7477dd
...@@ -423,6 +423,7 @@ class Account{ ...@@ -423,6 +423,7 @@ class Account{
}) })
if(obj){ if(obj){
request.setRequestHeader("Content-Type", "application/json;charset=UTF-8") request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
request.setRequestHeader("X-CSRFToken", gameConfig._csrf_token)
request.send(JSON.stringify(obj)) request.send(JSON.stringify(obj))
}else{ }else{
request.send() request.send()
......
templates/admin_song_detail.html
View file @ 1e7477dd
...@@ -6,6 +6,7 @@ ...@@ -6,6 +6,7 @@
{% endfor %} {% endfor %}
<div class="song-form"> <div class="song-form">
<form method="post"> <form method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div class="form-field"> <div class="form-field">
<span class="checkbox"><input type="checkbox" name="enabled" id="enabled"{% if song.enabled %} checked{% endif %}{% if admin.user_level < 100 %} disabled {% endif %}><label for="enabled"> Enabled</label></span> <span class="checkbox"><input type="checkbox" name="enabled" id="enabled"{% if song.enabled %} checked{% endif %}{% if admin.user_level < 100 %} disabled {% endif %}><label for="enabled"> Enabled</label></span>
...@@ -124,6 +125,7 @@ ...@@ -124,6 +125,7 @@
</form> </form>
{% if admin.user_level >= 100 %} {% if admin.user_level >= 100 %}
<form class="delete-song" method="post" action="/admin/songs/{{song.id}}/delete" onsubmit="return confirm('Are you sure you wish to delete this song?');"> <form class="delete-song" method="post" action="/admin/songs/{{song.id}}/delete" onsubmit="return confirm('Are you sure you wish to delete this song?');">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<button type="submit">Delete song</button> <button type="submit">Delete song</button>
</form> </form>
{% endif %} {% endif %}
......
templates/admin_song_new.html
View file @ 1e7477dd
...@@ -6,9 +6,10 @@ ...@@ -6,9 +6,10 @@
{% endfor %} {% endfor %}
<div class="song-form"> <div class="song-form">
<form method="post"> <form method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div class="form-field"> <div class="form-field">
<span class="checkbox"><input type="checkbox" name="enabled" id="enabled" checked><label for="enabled"> Enabled</label></span> <span class="checkbox"><input type="checkbox" name="enabled" id="enabled"><label for="enabled"> Enabled</label></span>
</div> </div>
<div class="form-field"> <div class="form-field">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment