OLD | NEW |
(Empty) | |
| 1 # Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 # Use of this source code is govered by a BSD-style |
| 3 # license that can be found in the LICENSE file or at |
| 4 # https://developers.google.com/open-source/licenses/bsd |
| 5 |
| 6 """Servlet for XSRF token refresh. |
| 7 |
| 8 Our XSRF tokens expire in 2 hours (as defined in xsrf.py), which would |
| 9 mean that users who open an issue page and take a long lunch would see |
| 10 an error if they try to submit a comment when they get back. |
| 11 """ |
| 12 |
| 13 import logging |
| 14 |
| 15 from framework import framework_constants |
| 16 from framework import jsonfeed |
| 17 from framework import xsrf |
| 18 |
| 19 |
| 20 # TODO(jrobbins): Make this also work with xhr tokens by checking expiration |
| 21 # time in CS_doPost(). |
| 22 |
| 23 |
| 24 class TokenRefresh(jsonfeed.JsonFeed): |
| 25 """JSON feed to give the user a new XSRF token.""" |
| 26 |
| 27 # Setting this class variable tells servlet.py to not check the XHR |
| 28 # token for the token refresh request itself. It will always be |
| 29 # expired, otherwise we would not need a new one. Instead, we check |
| 30 # the form_token with a longer expiration. |
| 31 CHECK_SECURITY_TOKEN = False |
| 32 |
| 33 def HandleRequest(self, mr): |
| 34 """Build up a dictionary of data values to use when rendering the page. |
| 35 |
| 36 Args: |
| 37 mr: commonly used info parsed from the request. |
| 38 |
| 39 Returns: |
| 40 Dict of values used by EZT for rendering the page. |
| 41 """ |
| 42 if not mr.auth.user_id: |
| 43 return {} |
| 44 |
| 45 post_data = mr.request.POST |
| 46 form_token_path = post_data.get('form_token_path') |
| 47 xsrf.ValidateToken( |
| 48 post_data.get('form_token'), |
| 49 mr.auth.user_id, |
| 50 form_token_path, |
| 51 timeout=xsrf.REFRESH_TOKEN_TIMEOUT_SEC) |
| 52 |
| 53 return { |
| 54 'form_token': xsrf.GenerateToken(mr.auth.user_id, form_token_path), |
| 55 'token_expires_sec': xsrf.TokenExpiresSec(), |
| 56 } |
| 57 |
| 58 |
OLD | NEW |