Open Source Monorail

appengine/monorail/framework/tokenrefresh.py

+# Copyright 2016 The Chromium Authors. All rights reserved.
+# Use of this source code is govered by a BSD-style
+# license that can be found in the LICENSE file or at
+# https://developers.google.com/open-source/licenses/bsd
+
+"""Servlet for XSRF token refresh.
+
+Our XSRF tokens expire in 2 hours (as defined in xsrf.py), which would
+mean that users who open an issue page and take a long lunch would see
+an error if they try to submit a comment when they get back.
+"""
+
+import logging
+
+from framework import framework_constants
+from framework import jsonfeed
+from framework import xsrf
+
+
+# TODO(jrobbins): Make this also work with xhr tokens by checking expiration
+# time in CS_doPost().
+
+
+class TokenRefresh(jsonfeed.JsonFeed):
+  """JSON feed to give the user a new XSRF token."""
+
+  # Setting this class variable tells servlet.py to not check the XHR
+  # token for the token refresh request itself.  It will always be
+  # expired, otherwise we would not need a new one.  Instead, we check
+  # the form_token with a longer expiration.
+  CHECK_SECURITY_TOKEN = False
+
+  def HandleRequest(self, mr):
+    """Build up a dictionary of data values to use when rendering the page.
+
+    Args:
+      mr: commonly used info parsed from the request.
+
+    Returns:
+      Dict of values used by EZT for rendering the page.
+    """
+    if not mr.auth.user_id:
+      return {}
+
+    post_data = mr.request.POST
+    form_token_path = post_data.get('form_token_path')
+    xsrf.ValidateToken(
+        post_data.get('form_token'),
+        mr.auth.user_id,
+        form_token_path,
+        timeout=xsrf.REFRESH_TOKEN_TIMEOUT_SEC)
+
+    return {
+      'form_token': xsrf.GenerateToken(mr.auth.user_id, form_token_path),
+      'token_expires_sec': xsrf.TokenExpiresSec(),
+      }
+
+