vbatts/microblog.pub
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Improve expired session and CSRF error handling

Browse source
This commit is contained in:
Thomas Sileo 2022-09-16 18:14:50 +02:00
parent 949365d8ba
commit b99552384c
5 changed files with 32 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

13
app/config.py
View file

@ -200,10 +200,19 @@ def generate_csrf_token() -> str:
return csrf_serializer.dumps(secrets.token_hex(16)) # type: ignore
def verify_csrf_token(csrf_token: str = Form()) -> None:
def verify_csrf_token(
csrf_token: str = Form(),
redirect_url: str | None = Form(None),
) -> None:
please_try_again = "please try again"
if redirect_url:
please_try_again = f'<a href="{redirect_url}">please try again</a>'
try:
csrf_serializer.loads(csrf_token, max_age=1800)
except (itsdangerous.BadData, itsdangerous.SignatureExpired):
logger.exception("Failed to verify CSRF token")
raise HTTPException(status_code=403, detail="CSRF error")
raise HTTPException(
status_code=403,
detail=f"The security token expired, {please_try_again}",
)
return None