romfast/rar-autopass
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
12021eb26945263994dd5b9584fd873f0d201508
rar-autopass/app/web/csrf.py
Claude Agent 4a2afc68bf chore: curatare agresiva comentarii — scoatere referinte US/PRD din cod si template-uri 
Eliminat zgomotul de trasabilitate (US-xxx, PRD x.x, Rn, OV-x, Tn, decizii/naratiune
istorica) din 41 fisiere app/ + template-uri. Pastrate comentariile care documenteaza
invarianti si logica ne-evidenta (idempotenta/hash, reconciliere anti-duplicat, RAR 500
esec definitiv, creds per cont, WAF User-Agent, 422 fara echo de parola, scope NULL->1),
curatate doar de tokeni.

Verificare: pentru cele 27 module .py curatate, structura de cod (tokeni non-comentariu/
non-string) e IDENTICA fata de HEAD -> doar comentarii/docstring-uri schimbate. Singura
schimbare de cod e in tests/test_web_responsive.py (scos 3 assert pe markeri US-006/007/008,
inlocuite de asertiunile structurale alaturate). 0 tokeni US/PRD reziduali in app/.
Regresie: 896 passed, 1 deselected.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-25 21:44:24 +00:00

52 lines
1.9 KiB
Python
Raw Blame History

"""CSRF token per-sesiune + validare.
Contract pentru rutele POST web:
- Formulare HTML includ: <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
- Handler-ul POST apeleaza: verify_csrf(request, form.get("csrf_token"))
- La nepotrivire/lipsa: CsrfError -> @app.exception_handler(CsrfError) -> 403
Token e per-sesiune (stabil pana la logout), generat lazy la primul acces.
"""
from __future__ import annotations
import hmac
import secrets
from starlette.requests import Request
from ..config import get_settings
class CsrfError(Exception):
"""Token CSRF lipsa sau invalid. Prins de exception_handler in main.py -> 403."""
def get_csrf_token(request: Request) -> str:
"""Intoarce tokenul CSRF al sesiunii, generandu-l daca lipseste."""
token = request.session.get("csrf_token")
if not token:
token = secrets.token_urlsafe(32)
request.session["csrf_token"] = token
return token
def verify_csrf(request: Request, submitted: str | None) -> None:
"""Verifica tokenul CSRF trimis in formular.
Gateaza pe MOD, nu pe account_id:
- prod (web_auth_required=True): enforce pe TOATE rutele POST, inclusiv /login si
/signup unde atacatorul ar putea forta victima sa se logheze in contul sau
(login CSRF). GET-urile de formular genereaza token in sesiune via get_csrf_token.
- dev/test (web_auth_required=False, fara account_id): skip transparent, testele
existente raman verzi fara sa fie nevoie de token.
- sesiune autentificata (account_id in sesiune): enforce indiferent de mod.
"""
settings = get_settings()
enforce = settings.web_auth_required or request.session.get("account_id") is not None
if not enforce:
return # dev fara auth: CSRF neaplicabil
expected = request.session.get("csrf_token")
if not expected or not submitted or not hmac.compare_digest(expected.encode(), submitted.encode()):
raise CsrfError("token CSRF invalid")
Reference in New Issue View Git Blame Copy Permalink