From 2befde27d57878f892f059f66d776f03dd97ecae Mon Sep 17 00:00:00 2001
From: Thomas Sileo <t@a4.io>
Date: Fri, 1 Jun 2018 21:54:43 +0200
Subject: [PATCH] Enable the CSRF check for the login page

---
 activitypub.py       | 3 ++-
 app.py               | 3 ++-
 templates/login.html | 1 +
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/activitypub.py b/activitypub.py
index 88ff84b..0b4eca6 100644
--- a/activitypub.py
+++ b/activitypub.py
@@ -293,6 +293,8 @@ class BaseActivity(object):
     def _should_purge_cache(self) -> bool:
         raise NotImplementedError
 
+    # FIXME(tsileo): _pre_process_from_inbox, _pre_post_to_outbox, allow to prevent saving, check for undo, delete, update both inbox and outbox
+
     def process_from_inbox(self) -> None:
         logger.debug(f'calling main process from inbox hook for {self}')
         self.verify()
@@ -719,7 +721,6 @@ class Update(BaseActivity):
         # TODO(tsileo): implements _should_purge_cache if it's a reply of a published activity (i.e. in the outbox)
 
     def _post_to_outbox(self, obj_id: str, activity: ObjectType, recipients: List[str]) -> None:
-        print('UPDATE')
         obj = self._data['object']
 
         update_prefix = 'activity.object.'
diff --git a/app.py b/app.py
index 3313af3..0391e40 100644
--- a/app.py
+++ b/app.py
@@ -73,7 +73,7 @@ app.secret_key = get_secret_key('flask')
 app.config.update(
     WTF_CSRF_CHECK_DEFAULT=False,
 )
-# csrf = CSRFProtect(app)
+csrf = CSRFProtect(app)
 
 logger = logging.getLogger(__name__)
 
@@ -287,6 +287,7 @@ def login():
     devices = [doc['device'] for doc in DB.u2f.find()]
     u2f_enabled = True if devices else False
     if request.method == 'POST':
+        csrf.protect()
         pwd = request.form.get('pass')
         if pwd and verify_pass(pwd):
             if devices:
diff --git a/templates/login.html b/templates/login.html
index 7e3cc1c..603808c 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -8,6 +8,7 @@
 	{% if session.logged_in %}logged{% else%}not logged{%endif%}
 
 <form id="login-form" method="POST">
+	 <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
 	<input type="password" name="pass" placeholder="password">
 	{% if u2f_enabled %}
 	<input type="hidden" name="resp" id="sig-payload" value="">