From ff9e0b2712b61b6f515e2dbd57f08952fe870386 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Tue, 2 Apr 2019 16:16:25 -0700 Subject: fix CSRF for WTF forms --- python/fatcat_web/web_config.py | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'python/fatcat_web/web_config.py') diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py index 8fe50049..8ece91f7 100644 --- a/python/fatcat_web/web_config.py +++ b/python/fatcat_web/web_config.py @@ -39,6 +39,11 @@ class Config(object): IA_XAUTH_CLIENT_ID = os.environ.get("IA_XAUTH_CLIENT_ID", default=None) IA_XAUTH_CLIENT_SECRET = os.environ.get("IA_XAUTH_CLIENT_SECRET", default=None) + # CSRF on by default, but only for WTF forms (not, eg, search, lookups, GET + # forms) + WTF_CSRF_CHECK_DEFAULT = True + WTF_CSRF_TIME_LIMIT = None + # protect cookies (which include API tokens) if FATCAT_DOMAIN != "dev.fatcat.wiki": SESSION_COOKIE_HTTPONLY = True -- cgit v1.2.3 From 0254eafe4a210995e0999221410e94aa2c6312e9 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 3 Apr 2019 10:57:31 -0700 Subject: handle local/dev env config better --- python/fatcat_web/web_config.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'python/fatcat_web/web_config.py') diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py index 8ece91f7..9aad8998 100644 --- a/python/fatcat_web/web_config.py +++ b/python/fatcat_web/web_config.py @@ -44,8 +44,12 @@ class Config(object): WTF_CSRF_CHECK_DEFAULT = True WTF_CSRF_TIME_LIMIT = None - # protect cookies (which include API tokens) - if FATCAT_DOMAIN != "dev.fatcat.wiki": + if FATCAT_DOMAIN == "dev.fatcat.wiki": + # "Even more verbose" debug options + #SQLALCHEMY_ECHO = True + #DEBUG = True + else: + # protect cookies (which include API tokens) SESSION_COOKIE_HTTPONLY = True SESSION_COOKIE_SECURE = True SESSION_COOKIE_SAMESITE = 'Lax' @@ -66,6 +70,3 @@ class Config(object): }, } - # "Even more verbose" debug options - #SQLALCHEMY_ECHO = True - #DEBUG = True -- cgit v1.2.3 From 9d62040d7a2d3bc6034fbb4b8ff28397ce3b5d54 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 3 Apr 2019 10:58:29 -0700 Subject: better warn/error logging --- python/fatcat_web/auth.py | 10 +++++----- python/fatcat_web/web_config.py | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'python/fatcat_web/web_config.py') diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py index 1953151b..20c11855 100644 --- a/python/fatcat_web/auth.py +++ b/python/fatcat_web/auth.py @@ -20,6 +20,7 @@ def handle_token_login(token): m = pymacaroons.Macaroon.deserialize(token) except pymacaroons.exceptions.MacaroonDeserializationException: # TODO: what kind of Exceptions? + app.logger.warn("auth fail: MacaroonDeserializationException") return abort(400) # extract editor_id editor_id = None @@ -28,6 +29,7 @@ def handle_token_login(token): if caveat.startswith(b"editor_id = "): editor_id = caveat[12:].decode('utf-8') if not editor_id: + app.logger.warn("auth fail: editor_id missing in macaroon") abort(400) # fetch editor info editor = api.get_editor(editor_id) @@ -93,12 +95,11 @@ def handle_ia_xauth(email, password): try: flash("Internet Archive email/password didn't match: {}".format(resp.json()['values']['reason'])) except: - print("IA XAuth fail: {}".format(resp.content)) + app.logger.warn("IA XAuth fail: {}".format(resp.content)) return render_template('auth_ia_login.html', email=email), resp.status_code elif resp.status_code != 200: flash("Internet Archive login failed (internal error?)") - # TODO: log.warn - print("IA XAuth fail: {}".format(resp.content)) + app.logger.warn("IA XAuth fail: {}".format(resp.content)) return render_template('auth_ia_login.html', email=email), resp.status_code # Successful login; now fetch info... @@ -112,8 +113,7 @@ def handle_ia_xauth(email, password): }) if resp.status_code != 200: flash("Internet Archive login failed (internal error?)") - # TODO: log.warn - print("IA XAuth fail: {}".format(resp.content)) + app.logger.warn("IA XAuth fail: {}".format(resp.content)) return render_template('auth_ia_login.html', email=email), resp.status_code ia_info = resp.json()['values'] diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py index 9aad8998..1b9a7c9f 100644 --- a/python/fatcat_web/web_config.py +++ b/python/fatcat_web/web_config.py @@ -41,7 +41,7 @@ class Config(object): # CSRF on by default, but only for WTF forms (not, eg, search, lookups, GET # forms) - WTF_CSRF_CHECK_DEFAULT = True + WTF_CSRF_CHECK_DEFAULT = False WTF_CSRF_TIME_LIMIT = None if FATCAT_DOMAIN == "dev.fatcat.wiki": -- cgit v1.2.3 From 3b55725950326232e23f7dc1c075ee72c20dccca Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 3 Apr 2019 11:30:54 -0700 Subject: fix config file whitespace --- python/fatcat_web/web_config.py | 1 + 1 file changed, 1 insertion(+) (limited to 'python/fatcat_web/web_config.py') diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py index 1b9a7c9f..b12cb114 100644 --- a/python/fatcat_web/web_config.py +++ b/python/fatcat_web/web_config.py @@ -48,6 +48,7 @@ class Config(object): # "Even more verbose" debug options #SQLALCHEMY_ECHO = True #DEBUG = True + pass else: # protect cookies (which include API tokens) SESSION_COOKIE_HTTPONLY = True -- cgit v1.2.3