Parcourir la source

Switch to a timed serializer

Getty Ritter il y a 4 ans
Parent
commit
9ac1f66830
2 fichiers modifiés avec 18 ajouts et 9 suppressions
  1. 1 1
      lc/config.py
  2. 17 8
      lc/web.py

+ 1 - 1
lc/config.py

@@ -7,7 +7,7 @@ import playhouse.sqlite_ext
 
 db = playhouse.sqlite_ext.SqliteExtDatabase(None)
 per_page = 50
-serializer = itsdangerous.URLSafeSerializer(os.getenv("SECRET_KEY", "TEMP KEY"))
+serializer = itsdangerous.URLSafeTimedSerializer(os.getenv("SECRET_KEY", "TEMP KEY"))
 app = flask.Flask(__name__)
 app.secret_key = os.getenv("SECRET_KEY", "ARGLBARGL")
 

+ 17 - 8
lc/web.py

@@ -31,17 +31,26 @@ class Endpoint:
         elif flask.session.get("auth", None):
             token = flask.session["auth"]
 
+        if token is None:
+            return
+
         # if that exists and we can deserialize it, then make sure
         # it contains a valid user password, too
-        if token and (payload := c.serializer.loads(token)):
-            if "name" not in payload:
-                return
+        try:
+            payload = c.serializer.loads(token)
+        except:
+            # TODO: be more specific about what errors we're catching
+            # here!
+            return
 
-            try:
-                u = m.User.by_slug(payload["name"])
-                self.user = u
-            except e.LCException:
-                return
+        if "name" not in payload:
+            return
+
+        try:
+            u = m.User.by_slug(payload["name"])
+            self.user = u
+        except e.LCException:
+            return
 
     def api_ok(self, redirect: str, data: dict = {"status": "ok"}) -> ApiOK:
         if flask.request.content_type == "application/x-www-form-urlencoded":