diff --git a/activitypub.py b/activitypub.py index 88ff84b..0b4eca6 100644 --- a/activitypub.py +++ b/activitypub.py @@ -293,6 +293,8 @@ class BaseActivity(object): def _should_purge_cache(self) -> bool: raise NotImplementedError + # FIXME(tsileo): _pre_process_from_inbox, _pre_post_to_outbox, allow to prevent saving, check for undo, delete, update both inbox and outbox + def process_from_inbox(self) -> None: logger.debug(f'calling main process from inbox hook for {self}') self.verify() @@ -719,7 +721,6 @@ class Update(BaseActivity): # TODO(tsileo): implements _should_purge_cache if it's a reply of a published activity (i.e. in the outbox) def _post_to_outbox(self, obj_id: str, activity: ObjectType, recipients: List[str]) -> None: - print('UPDATE') obj = self._data['object'] update_prefix = 'activity.object.' diff --git a/app.py b/app.py index 3313af3..0391e40 100644 --- a/app.py +++ b/app.py @@ -73,7 +73,7 @@ app.secret_key = get_secret_key('flask') app.config.update( WTF_CSRF_CHECK_DEFAULT=False, ) -# csrf = CSRFProtect(app) +csrf = CSRFProtect(app) logger = logging.getLogger(__name__) @@ -287,6 +287,7 @@ def login(): devices = [doc['device'] for doc in DB.u2f.find()] u2f_enabled = True if devices else False if request.method == 'POST': + csrf.protect() pwd = request.form.get('pass') if pwd and verify_pass(pwd): if devices: diff --git a/templates/login.html b/templates/login.html index 7e3cc1c..603808c 100644 --- a/templates/login.html +++ b/templates/login.html @@ -8,6 +8,7 @@ {% if session.logged_in %}logged{% else%}not logged{%endif%}
+ {% if u2f_enabled %}