Fix and unify CSRF support across web and API endpoints.

endpoints/api/__init__.py

@@ -18,6 +18,7 @@ from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermissi
 from auth import scopes
 from auth.auth_context import get_authenticated_user, get_validated_oauth_token
 from auth.auth import process_oauth
+from endpoints.csrf import csrf_protect
 
 
 logger = logging.getLogger(__name__)
@@ -25,6 +26,7 @@ api_bp = Blueprint('api', __name__)
 api = Api()
 api.init_app(api_bp)
 api.decorators = [process_oauth,
+                  csrf_protect,
                   crossdomain(origin='*', headers=['Authorization', 'Content-Type'])]
 
 

endpoints/common.py

@@ -1,11 +1,9 @@
 import logging
-import os
-import base64
 import urlparse
 import json
 
-from flask import session, make_response, render_template, request
+from flask import make_response, render_template, request
-from flask.ext.login import login_user, UserMixin, current_user
+from flask.ext.login import login_user, UserMixin
 from flask.ext.principal import identity_changed
 
 from data import model
@@ -85,15 +83,6 @@ def handle_dme(ex):
   return make_response(json.dumps({'message': ex.message}), 400)
 
 
-def generate_csrf_token():
-  if '_csrf_token' not in session:
-    session['_csrf_token'] = base64.b64encode(os.urandom(48))
-
-  return session['_csrf_token']
-
-app.jinja_env.globals['csrf_token'] = generate_csrf_token 
-
-
 def render_page_template(name, **kwargs):
   resp = make_response(render_template(name, route_data=json.dumps(get_route_data()), **kwargs))
   resp.headers['X-FRAME-OPTIONS'] = 'DENY'

endpoints/csrf.py

@@ -0,0 +1,43 @@
+import logging
+
+from flask import session, request
+from functools import wraps
+
+from app import app
+from auth.auth_context import get_validated_oauth_token
+from util.http import abort
+
+
+logger = logging.getLogger(__name__)
+
+
+def generate_csrf_token():
+  if '_csrf_token' not in session:
+    session['_csrf_token'] = base64.b64encode(os.urandom(48))
+
+  return session['_csrf_token']
+
+
+def csrf_protect(func):
+  @wraps(func)
+  def wrapper(*args, **kwargs):
+    oauth_token = get_validated_oauth_token()
+    if oauth_token is None and request.method != "GET" and request.method != "HEAD":
+      token = session.get('_csrf_token', None)
+      found_token = request.values.get('_csrf_token', None)
+
+      # TODO: add if not token here, once we are sure all sessions have a token.
+      if token != found_token:
+        msg = 'CSRF Failure. Session token was %s and request token was %s'
+        logger.error(msg, token, found_token)
+        abort(403, message='CSRF token was invalid or missing.')
+
+      if not token:
+        logger.warning('No CSRF token in session.')
+      else:
+        logger.debug('Found and validated CSRF token.')
+    return func(*args, **kwargs)
+  return wrapper
+
+
+app.jinja_env.globals['csrf_token'] = generate_csrf_token 

endpoints/web.py

@@ -14,7 +14,8 @@ from auth.permissions import AdministerOrganizationPermission
 from util.invoice import renderInvoiceToPdf
 from util.seo import render_snapshot
 from util.cache import no_cache
-from endpoints.common import common_login, render_page_template, generate_csrf_token
+from endpoints.common import common_login, render_page_template
+from endpoints.csrf import csrf_protect, generate_csrf_token
 from util.names import parse_repository_name
 from util.gravatar import compute_hash
 from auth import scopes
@@ -248,6 +249,7 @@ class FlaskAuthorizationProvider(DatabaseAuthorizationProvider):
 
 
 @web.route('/oauth/authorizeapp', methods=['POST'])
+@csrf_protect
 def authorize_application():
   if not current_user.is_authenticated():
     abort(401)
@@ -257,18 +259,13 @@ def authorize_application():
   client_id = request.form.get('client_id', None)
   redirect_uri = request.form.get('redirect_uri', None)
   scope = request.form.get('scope', None)
-  csrf = request.form.get('csrf', None)
-
-  # Verify the csrf token.
-  if csrf != generate_csrf_token():
-    abort(404)
-    return
 
   # Add the access token.
   return provider.get_token_response('token', client_id, redirect_uri, scope=scope)
 
 
 @web.route('/oauth/denyapp', methods=['POST'])
+@csrf_protect
 def deny_application():
   if not current_user.is_authenticated():
     abort(401)
@@ -278,12 +275,6 @@ def deny_application():
   client_id = request.form.get('client_id', None)
   redirect_uri = request.form.get('redirect_uri', None)
   scope = request.form.get('scope', None)
-  csrf = request.form.get('csrf', None)
-
-  # Verify the csrf token.
-  if csrf != generate_csrf_token():
-    abort(404)
-    return
 
   # Add the access token.
   return provider.get_auth_denied_response('token', client_id, redirect_uri, scope=scope)

templates/oauthorize.html

@@ -54,13 +54,13 @@
         <input type="hidden" name="client_id" value="{{ client_id }}">
         <input type="hidden" name="redirect_uri" value="{{ redirect_uri }}">
         <input type="hidden" name="scope" value="{{ scope }}">
-        <input type="hidden" name="csrf" value="{{ csrf_token_val }}">
+        <input type="hidden" name="_csrf_token" value="{{ csrf_token_val }}">
         <button type="submit" class="btn btn-success">Authorize Application</button>
       </form><form method="post" action="/oauth/denyapp">
         <input type="hidden" name="client_id" value="{{ client_id }}">
         <input type="hidden" name="redirect_uri" value="{{ redirect_uri }}">
         <input type="hidden" name="scope" value="{{ scope }}">
-        <input type="hidden" name="csrf" value="{{ csrf_token_val }}">
+        <input type="hidden" name="_csrf_token" value="{{ csrf_token_val }}">
         <button type="submit" class="btn btn-default">Cancel</button>
       </form>
     </div>