core.securitykey
¶
Implementation of one-time CSRF-security-keys.
CSRF-security-keys (Cross-Site Request Forgery) are used mostly to make requests unique and non-reproducible. Doing the same request again requires to obtain a fresh security key first. Furthermore, security keys can be used to implemented credential-reset mechanisms or similar features, where a URL is only valid for one call.
- ..note:
There’s also a hidden 3rd type of security-key: The session’s static security key.
This key is only revealed once during login, as the protected header “Sec-X-ViUR-StaticSessionKey”.
This can be used instead of the one-time sessions security key by sending it back as the same protected HTTP header and setting the skey value to “Sec-X-ViUR-StaticSessionKey”. This is only intended for non-web-browser, programmatic access (admin tools, import tools etc.) where CSRF attacks are not applicable.
Therefor that header is prefixed with “Sec-” - so it cannot be read or set using JavaScript.
Module Contents¶
Functions¶
|
Creates a new one-time CSRF-security-key. |
|
Validates a CSRF-security-key. |
|
Attributes¶
- core.securitykey.SECURITYKEY_KINDNAME = 'viur-securitykey'¶
- core.securitykey.SECURITYKEY_DURATION¶
- core.securitykey.SECURITYKEY_STATIC = 'Sec-X-ViUR-StaticSessionKey'¶
- core.securitykey.create(duration=None, session_bound=True, key_length=13, **custom_data)¶
Creates a new one-time CSRF-security-key.
The custom data (given as **custom_data) that can be stored with the key. Any data provided must be serializable by the datastore.
- Parameters:
duration (Union[None, int]) – Make this CSRF-token valid for a fixed timeframe of seconds.
session_bound (bool) – Bind this CSRF-token to the current session.
custom_data – Any other data is stored with the CSRF-token, for later re-use.
key_length (int) –
- Returns:
The new one-time key, which is a randomized string.
- Return type:
str
- core.securitykey.validate(key, session_bound=True)¶
Validates a CSRF-security-key.
- Parameters:
key (str) – The CSRF-token to be validated.
session_bound (bool) – If True, make sure the CSRF-token is created inside the current session.
- Returns:
False if the key was not valid for whatever reasons, the data (given during
create()
) as dictionary or True if the dict is empty (or session was True).- Return type:
Union[bool, viur.core.db.Entity]
- core.securitykey.periodic_clear_skeys()¶
- core.securitykey.clear_session_skeys(session_key)¶