accounts: remove csrf from /bootstrap; add separate /csrf endpoint; c…

…loses #50
adsabs · May 6, 2015 · b7093fa · b7093fa
1 parent 119d390
commit b7093fa
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 6 deletions.
diff --git a/adsws/accounts/app.py b/adsws/accounts/app.py
@@ -12,7 +12,7 @@
     UserAuthView, LogoutView, UserRegistrationView, \
     VerifyEmailView, ChangePasswordView, \
     PersonalTokenView, Bootstrap, StatusView, OAuthProtectedView, \
-    ForgotPasswordView, ChangeEmailView, DeleteAccountView \
+    ForgotPasswordView, ChangeEmailView, DeleteAccountView, CSRFView
 
 def create_app(**kwargs_config):
     """
@@ -44,6 +44,7 @@ def create_app(**kwargs_config):
     api.add_resource(Bootstrap, '/bootstrap')
     api.add_resource(StatusView, '/status')
     api.add_resource(OAuthProtectedView, '/protected')
+    api.add_resource(CSRFView, '/csrf')
     api.add_resource(UserAuthView, '/user')
     api.add_resource(DeleteAccountView, '/user/delete')
     api.add_resource(UserRegistrationView, '/register')

diff --git a/adsws/accounts/utils.py b/adsws/accounts/utils.py
@@ -5,7 +5,6 @@
 from flask import current_app
 from flask.ext.mail import Message
 from flask.ext.login import current_user as cu
-from flask.ext.wtf.csrf import generate_csrf
 
 from .exceptions import ValidationError
 from .emails import Email
@@ -161,6 +160,5 @@ def print_token(token):
         'expire_in': expiry,
         'token_type': 'Bearer',
         'scopes': token.scopes,
-        'csrf': generate_csrf(),
         'anonymous': anon,
     }
diff --git a/adsws/accounts/views.py b/adsws/accounts/views.py
@@ -9,6 +9,7 @@
 from adsws.ext.ratelimiter import ratelimit, scope_func
 from flask.ext.login import current_user, login_user, logout_user
 from flask.ext.restful import Resource, abort
+from flask.ext.wtf.csrf import generate_csrf
 from flask import current_app, session, abort, request
 from .utils import validate_email, validate_password, \
     verify_recaptcha, get_post_data, send_email, login_required, \
@@ -457,6 +458,20 @@ def get(self, token):
         return {"message": "success", "email": email}
 
 
+class CSRFView(Resource):
+    """
+    Returns a csrf token
+    """
+
+    decorators = [ratelimit(50, 600, scope_func=scope_func)]
+
+    def get(self):
+        """
+        Returns a csrf token
+        """
+        return {'csrf': generate_csrf()}
+
+
 class UserRegistrationView(Resource):
     """
     Implements new user registration

diff --git a/adsws/tests/test_accounts.py b/adsws/tests/test_accounts.py
@@ -138,7 +138,7 @@ def get_csrf(self):
         """
 
         #  httpretty socket blocks if enabled before calling self.get_csrf() !
-        r = self.client.get(url_for('bootstrap'))
+        r = self.client.get(url_for('csrfview'))
         return r.json['csrf']
 
     def login(self, user, client, csrf):
@@ -576,7 +576,7 @@ def test_bootstrap_bumblebee(self):
             self.assertEqual(current_user.email, self.bootstrap_user.email)
             self.assertTrue(r.json['anonymous'])
             for k in ['access_token', 'expire_in', 'scopes', 'token_type',
-                      'username', 'refresh_token', 'csrf']:
+                      'username', 'refresh_token']:
                 self.assertIn(
                     k, r.json,
                     msg="{k} not in {data}".format(k=k, data=r.json)
@@ -636,7 +636,7 @@ def test_bootstrap_user(self):
             # that authenticated user's data
             r = c.get(url)
             for k in ['access_token', 'expire_in', 'scopes', 'token_type',
-                      'username', 'refresh_token', 'csrf']:
+                      'username', 'refresh_token']:
                 self.assertIn(
                     k, r.json,
                     msg="{k} not in {data}".format(k=k, data=r.json)