From 8dd6890a7d0e98ec56ffe1476c9de19517094746 Mon Sep 17 00:00:00 2001
From: Thomas Sileo <t@a4.io>
Date: Mon, 11 Jul 2022 09:42:39 +0200
Subject: [PATCH] More CSRF tweaks

---
 app/config.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/config.py b/app/config.py
index 3d95c8e..66f26f2 100644
--- a/app/config.py
+++ b/app/config.py
@@ -10,7 +10,6 @@ import tomli
 from fastapi import Form
 from fastapi import HTTPException
 from fastapi import Request
-from itsdangerous import TimedSerializer
 from itsdangerous import URLSafeTimedSerializer
 from loguru import logger
 
@@ -95,10 +94,13 @@ EMOJI_TPL = '<img src="/static/twemoji/{filename}.svg" alt="{raw}" class="emoji"
 _load_emojis(ROOT_DIR, BASE_URL)
 
 
-session_serializer = TimedSerializer(CONFIG.secret, salt="microblogpub.login")
+session_serializer = URLSafeTimedSerializer(
+    CONFIG.secret,
+    salt=f"{ID}.session",
+)
 csrf_serializer = URLSafeTimedSerializer(
-    secrets.token_bytes(32),
-    salt=ID,
+    CONFIG.secret,
+    salt=f"{ID}.csrf",
 )
 
 
@@ -108,7 +110,7 @@ def generate_csrf_token() -> str:
 
 def verify_csrf_token(csrf_token: str = Form()) -> None:
     try:
-        csrf_serializer.loads(csrf_token, max_age=600)
+        csrf_serializer.loads(csrf_token, max_age=1800)
     except (itsdangerous.BadData, itsdangerous.SignatureExpired):
         logger.exception("Failed to verify CSRF token")
         raise HTTPException(status_code=403, detail="CSRF error")