Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF cleanup and fixes #264

Merged
merged 12 commits into from
Oct 23, 2016
Merged

CSRF cleanup and fixes #264

merged 12 commits into from
Oct 23, 2016

Commits on Oct 9, 2016

  1. use itsdangerous for csrf tokens 

    tokens always contain a timestamp
time limit only required when verifying
tokens are always url safe
    @davidism
    davidism committed Oct 9, 2016
    Configuration menu
    Copy the full SHA
    ce17638 View commit details
    Browse the repository at this point in the history

Commits on Oct 13, 2016

  1. don't store app on extension 

    some code cleanup
    @davidism
    davidism committed Oct 13, 2016
    Configuration menu
    Copy the full SHA
    682e695 View commit details
    Browse the repository at this point in the history

  2. protect the delete method by default 

    simplify exempt checks
    @davidism
    davidism committed Oct 13, 2016
    Configuration menu
    Copy the full SHA
    2954c77 View commit details
    Browse the repository at this point in the history

  3. deprecate csrf.error_handler 

    allow handler to return or raise response
introduce CSRFError for app.errorhandler to handle
closes #200, closes #209, closes #243, closes #252,
    @davidism
    davidism committed Oct 13, 2016
    Configuration menu
    Copy the full SHA
    2a6d552 View commit details
    Browse the repository at this point in the history

  4. generate the same token over an app context

    @davidism
    davidism committed Oct 13, 2016
    Configuration menu
    Copy the full SHA
    26513eb View commit details
    Browse the repository at this point in the history

Commits on Oct 23, 2016

  1. test deprecated csrf error handler

    @davidism
    davidism committed Oct 23, 2016
    Configuration menu
    Copy the full SHA
    3044572 View commit details
    Browse the repository at this point in the history

  2. rename to CsrfError for consistency with CsrfProtect

    @davidism
    davidism committed Oct 23, 2016
    Configuration menu
    Copy the full SHA
    a7b5d00 View commit details
    Browse the repository at this point in the history

  3. cache CSRF token per request, not per app context 

    signed token is available as request.csrf_token
raw token is available as session['csrf_token']
closes #227
    @davidism
    davidism committed Oct 23, 2016
    Configuration menu
    Copy the full SHA
    a8d8089 View commit details
    Browse the repository at this point in the history

  4. rewrite csrf documentation

    @davidism
    davidism committed Oct 23, 2016
    Configuration menu
    Copy the full SHA
    e782ea9 View commit details
    Browse the repository at this point in the history

  5. cache token in request with same key as session

    @davidism
    davidism committed Oct 23, 2016
    Configuration menu
    Copy the full SHA
    3d69ffc View commit details
    Browse the repository at this point in the history

  6. test using cached token instead of extracting from response data

    @davidism
    davidism committed Oct 23, 2016
    Configuration menu
    Copy the full SHA
    8b1f1d6 View commit details
    Browse the repository at this point in the history

  7. add csrf changes to changelog

    @davidism
    davidism committed Oct 23, 2016
    Configuration menu
    Copy the full SHA
    6070ca4 View commit details
    Browse the repository at this point in the history