add csrf protection and config stuff

8 years ago · def5a47491
9 changed files with 24 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,6 @@
 *.sw*
 *.pyc
+*.cfg
 .vim-session
 *~
 venv
--- a/blog.service
+++ b/blog.service
@ -7,6 +7,7 @@ User=http
 Group=http
 WorkingDirectory=/srv/http/riotblog
 ExecStart=/usr/bin/uwsgi --ini /srv/http/riotblog/blog.ini
+Environment="RIOTBLOG_SETTINGS=/srv/http/riotblog/riotblog_prod.cfg"

 [Install]
 WantedBy=multi.user.target
--- a/build/blog.service
+++ b/build/blog.service
@ -7,6 +7,7 @@ User=http
 Group=http
 WorkingDirectory=/srv/http/riotblog
 ExecStart=/usr/bin/uwsgi --ini /srv/http/riotblog/blog.ini
+Environment="RIOTBLOG_SETTINGS=/srv/http/riotblog/riotblog_prod.cfg"

 [Install]
 WantedBy=multi.user.target
--- a/build/requirements.txt
+++ b/build/requirements.txt
@ -12,6 +12,7 @@ flask-appconfig==0.11.1
 Flask-Bootstrap==3.3.7.1
 Flask-Login==0.4.0
 flask-marshmallow==0.7.0
+Flask-WTF==0.14.2
 greenlet==0.4.12
 idna==2.2
 itsdangerous==0.24
@ -39,4 +40,5 @@ virtualenv-clone==0.2.6
 virtualenvwrapper==4.7.2
 visitor==0.1.3
 Werkzeug==0.11.15
+WTForms==2.1
 youtube-dl==2017.1.28
--- a/build/templates/index.html
+++ b/build/templates/index.html
@ -10,7 +10,7 @@
    <section class="text-center nav navbar centered page-top navbar-section">
      <h1 class="blog-title">Wesley Kerfoot</h1>
    </section>
-    <app></app>
+    <app csrf_token="{{ csrf_token() }}"></app>
    <footer class="footer">
    </footer>

--- a/build/website.py
+++ b/build/website.py
@ -5,6 +5,7 @@ from flask import abort, Flask, render_template, flash, request, send_from_direc
 from werkzeug.local import Local, LocalProxy, LocalManager
 from flask_appconfig import AppConfig
 from flask_login import LoginManager, login_required
+from flask_wtf.csrf import CSRFProtect

 from urllib.parse import unquote
 from urllib.parse import quote, unquote
@ -92,6 +93,8 @@ def NeverWhere(configfile=None):
        """
        return posts.savepost(**request.form)

+    # default, not found error
+
    @app.route("/<path:path>")
    def page_not_found(path):
        return "Oops, couldn't find that :/"
@ -100,7 +103,13 @@ def NeverWhere(configfile=None):

 app = NeverWhere()

+app.config.from_envvar('RIOTBLOG_SETTINGS')
+
 login_manager.init_app(app)

+csrf = CSRFProtect()
+
+csrf.init_app(app)
+
 if __name__ == "__main__":
    NeverWhere("./appconfig").run(host="localhost", port=8001, debug=True)
--- a/fabfile.py
+++ b/fabfile.py
@ -35,6 +35,7 @@ def buildLocalVenv():
 def copyFiles():
    local("cp ./{blog.ini,blog.service,requirements.txt} ./build/")
    local("cp ./src/*py ./build/")
+    local("cp *.cfg ./build/")
    local("cp ./src/styles/*.css ./build/styles/")
    local("uglifycss ./build/styles/*css > ./build/styles/primop.me.min.css")
    local("cp -r ./src/templates ./build/templates")
--- a/src/templates/index.html
+++ b/src/templates/index.html
@ -10,7 +10,7 @@
    <section class="text-center nav navbar centered page-top navbar-section">
      <h1 class="blog-title">Wesley Kerfoot</h1>
    </section>
-    <app></app>
+    <app csrf_token="{{ csrf_token() }}"></app>
    <footer class="footer">
    </footer>

--- a/src/website.py
+++ b/src/website.py
@ -5,6 +5,7 @@ from flask import abort, Flask, render_template, flash, request, send_from_direc
 from werkzeug.local import Local, LocalProxy, LocalManager
 from flask_appconfig import AppConfig
 from flask_login import LoginManager, login_required
+from flask_wtf.csrf import CSRFProtect

 from urllib.parse import unquote
 from urllib.parse import quote, unquote
@ -102,7 +103,13 @@ def NeverWhere(configfile=None):

 app = NeverWhere()

+app.config.from_envvar('RIOTBLOG_SETTINGS')
+
 login_manager.init_app(app)

+csrf = CSRFProtect()
+
+csrf.init_app(app)
+
 if __name__ == "__main__":
    NeverWhere("./appconfig").run(host="localhost", port=8001, debug=True)