Make cookies secure

terrazoon · May 11, 2017 · f89de15 · f89de15
1 parent d293267
commit f89de15
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 22 deletions.
diff --git a/main.py b/main.py
@@ -21,14 +21,24 @@ def render_str(self, template, **params):
     def render(self, template, **kw):
 	self.write(self.render_str(template, **kw))
 
-
+def valid_cookie(raw_cookie):
+    arr = raw_cookie.split("|")
+    cookie_value = arr[0]
+    provided_hash = arr[1]
+    test_hash = hashlib.sha256(cookie_value).hexdigest()
+    return test_hash == provided_hash
+
 class WelcomeHandler(Handler):
     def get(self):
         self.post()
 
     def post(self):
-        username = self.request.cookies.get('username')
-        self.render("welcome.html", username=username)
+        hsh = self.request.cookies.get('username')
+        if valid_cookie(hsh):
+            arr = hsh.split("|")
+            self.render("welcome.html", username=arr[0])
+        else:
+            self.redirect("/logout")
 
 def valid_username(username):
     USER_RE = re.compile(r"^[a-zA-Z0-9_-]{3,20}$")
@@ -42,6 +52,11 @@ def valid_email(email):
     EMAIL_RE = re.compile(r"^[\S]+@[\S]+.[\S]+$")
     return not email or EMAIL_RE.match(email)
 
+def get_hashed_cookie(cookie_key, cookie_value):
+    hsh = str(hashlib.sha256(cookie_value).hexdigest())
+    hashed_cookie = "%s = %s|%s" % (cookie_key, cookie_value, hsh)
+    return str(hashed_cookie)
+
 class User(db.Model):
     username = db.StringProperty(required = True)
     pwd_hash = db.StringProperty(required = True)
@@ -90,7 +105,7 @@ def post(self):
 
             new_user = User(username = username, pwd_hash = pwd_hash, email = email)
             new_user.put()
-            self.response.headers.add_header('Set-Cookie', 'username=%s' % str(username))
+            self.response.headers.add_header('Set-Cookie', get_hashed_cookie('username', username))
             self.redirect("/welcome")
 
 
@@ -131,7 +146,7 @@ def post(self):
         if have_error:
             self.render('login.html', **params);
         else:
-            self.response.headers.add_header('Set-Cookie', 'username=%s' % str(username))
+            self.response.headers.add_header('Set-Cookie', get_hashed_cookie('username', username))
             self.redirect("/welcome")
 
 
@@ -149,10 +164,6 @@ def post(self):
 class MainPage(Handler):
 	def get(self):       
             self.redirect("/signup")
-
-
-
-##### blog
 
 
 def blog_key(name = 'default'):
@@ -164,6 +175,9 @@ def render_str(template, **params):
     return t.render(params)
 
 class BlogPost(db.Model):
+    #TODO make author required after clean up db
+    author = db.StringProperty()
+    likes = db.IntegerProperty()
     subject = db.StringProperty(required = True)
     content = db.TextProperty(required = True)
     created = db.DateTimeProperty(auto_now_add = True)
@@ -183,25 +197,27 @@ def get(self):
         self.render('newpost.html')
 
     def post(self):
-        subject = self.request.get('subject')
-        content = self.request.get('content')
-        if subject and content:
-            newpost = BlogPost(subject=subject, content=content)
-            newpost.put()
-
-            p = db.GqlQuery('SELECT * from BlogPost ORDER BY created DESC LIMIT 1')
-            self.redirect('/blog/%s' % str(p.get().key().id()))
-        else:
-            self.redirect('/blog/newpost')
+        hsh = self.request.cookies.get('username')
+        if valid_cookie(hsh): 
+            arr = hsh.split("|")
+            username = arr[0]
+            subject = self.request.get('subject')
+            content = self.request.get('content')
+            if subject and content:
+                newpost = BlogPost(author=username, subject=subject, content=content)
+                newpost.put()
+
+                p = db.GqlQuery('SELECT * from BlogPost ORDER BY created DESC LIMIT 1')
+                self.redirect('/blog/%s' % str(p.get().key().id()))
+            else:
+                self.redirect('/blog/newpost')
 
 class PermalinkHandler(Handler):
     def get(self, post_id):
-        #key = db.Key.from_path('Post', int(post_id), parent=blog_key())
         post = db.GqlQuery('SELECT * from BlogPost ORDER BY created DESC LIMIT 1')
 
         if not post:
-            self.write('no')
-            #self.error(404)
+            self.error(404)
             return
 
         self.render("permalink.html", post = post.get())

diff --git a/main.pyc b/main.pyc
diff --git a/showlocal.ps1 b/showlocal.ps1
@@ -0,0 +1 @@
+python 'c:\program files (x86)\google\cloud sdk\google-cloud-sdk\bin\dev_appserver.py' 'c:\users\kenneth_kehl\version-control\mub'
diff --git a/templates/login.html b/templates/login.html
@@ -42,6 +42,10 @@ <h2>Login</h2>
       </table>
 
       <input type="submit">
+    </form>
+
+	<form method="get" action="/signup">
+      <button type="submit">Sign Up</button>
     </form>
   </body>
 

diff --git a/templates/signup.html b/templates/signup.html
@@ -65,6 +65,10 @@ <h2>Signup</h2>
       </table>
 
       <input type="submit">
+    </form>
+
+	<form method="get" action="/login">
+      <button type="submit">Login</button>
     </form>
   </body>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		python 'c:\program files (x86)\google\cloud sdk\google-cloud-sdk\bin\dev_appserver.py' 'c:\users\kenneth_kehl\version-control\mub'