~tsileo/microblog.pub

3c074948094c7e2ab897d4e4e2e17c513ce63613 — Thomas Sileo 1 year, 3 months ago 2433fa0
Make CSRF expiration configurable and increase default value
1 files changed, 2 insertions(+), 1 deletions(-)

M app/config.py
M app/config.py => app/config.py +2 -1
@@ 124,6 124,7 @@ class Config(pydantic.BaseModel):
    key_path: str | None = None

    session_timeout: int = 3600 * 24 * 3  # in seconds, 3 days by default
    csrf_token_exp: int = 3600

    disabled_notifications: list[str] = []



@@ 263,7 264,7 @@ def verify_csrf_token(
    if redirect_url:
        please_try_again = f'<a href="{redirect_url}">please try again</a>'
    try:
        csrf_serializer.loads(csrf_token, max_age=1800)
        csrf_serializer.loads(csrf_token, max_age=CONFIG.csrf_token_exp)
    except (itsdangerous.BadData, itsdangerous.SignatureExpired):
        logger.exception("Failed to verify CSRF token")
        raise HTTPException(