Change how CSFR tokens are generated.

  * CSRF token are now generated with a random time limit between
    25 and 180 seconds.

Change-Id: I1c47b667da1bb362444093ceef6c0ceac20ea612

9 files changed, 24 insertions, 8 deletions

diff --git a/app/dashboard/__init__.py b/app/dashboard/__init__.py
index e24494d..44ebf00 100644
--- a/app/dashboard/__init__.py
+++ b/app/dashboard/__init__.py
@@ -14,6 +14,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
+import random
 
 from flask import (
     Flask,
@@ -24,6 +25,7 @@ from flask import (
 )
 from flask_wtf.csrf import (
     CsrfProtect,
+    generate_csrf,
     validate_csrf,
 )
 
@@ -48,6 +50,17 @@ from utils.backend import (
 )
 
 
+def generate_csrf_token():
+    """Custom function for tokens generation.
+
+    It returns a CSRF token with a random time limit between 25 and
+    180 seconds.
+
+    :return A random CSRF token.
+    """
+    return generate_csrf(time_limit=random.randint(25, 180))
+
+
 # Name of the environment variable that will be lookep up for app configuration
 # parameters.
 APP_ENVVAR = 'FLASK_SETTINGS'
@@ -62,6 +75,9 @@ if os.environ.get(APP_ENVVAR):
 
 CsrfProtect(app)
 
+# Use the custom CSRF token generation.
+app.jinja_env.globals['csrf_token_r'] = generate_csrf_token
+
 # General URLs.
 app.add_url_rule('/', view_func=IndexView.as_view('index'), methods=['GET'])
 app.add_url_rule(
diff --git a/app/dashboard/templates/boot.html b/app/dashboard/templates/boot.html
index b7f4be9..69f6c04 100644
--- a/app/dashboard/templates/boot.html
+++ b/app/dashboard/templates/boot.html
@@ -1,6 +1,6 @@
 {%- extends 'base.html' %}
 {%- block meta -%}
-    <meta name="csrf-token" content="{{ csrf_token() }}">
+    <meta name="csrf-token" content="{{ csrf_token_r() }}">
 {%- endblock %}
 {%- block title %}{{ page_title|safe }}{%- endblock %}
 {%- block content %}
diff --git a/app/dashboard/templates/boots.html b/app/dashboard/templates/boots.html
index 8b0ae1c..f89efa1 100644
--- a/app/dashboard/templates/boots.html
+++ b/app/dashboard/templates/boots.html
@@ -1,6 +1,6 @@
 {% extends 'base.html' %}
 {%- block meta -%}
-    <meta name="csrf-token" content="{{ csrf_token() }}">
+    <meta name="csrf-token" content="{{ csrf_token_r() }}">
 {%- endblock %}
 {%- block title %}{{ page_title|safe }}{%- endblock %}
 {%- block head %}
diff --git a/app/dashboard/templates/builds-all.html b/app/dashboard/templates/builds-all.html
index fb1b895..e3ff931 100644
--- a/app/dashboard/templates/builds-all.html
+++ b/app/dashboard/templates/builds-all.html
@@ -1,6 +1,6 @@
 {% extends 'base.html' %}
 {%- block meta -%}
-    <meta name="csrf-token" content="{{ csrf_token() }}">
+    <meta name="csrf-token" content="{{ csrf_token_r() }}">
 {%- endblock %}
 {%- block title %}{{ page_title|safe }}{%- endblock %}
 {%- block head %}
diff --git a/app/dashboard/templates/builds-job-kernel-defconf.html b/app/dashboard/templates/builds-job-kernel-defconf.html
index 1e7ab1b..5e96d4e 100644
--- a/app/dashboard/templates/builds-job-kernel-defconf.html
+++ b/app/dashboard/templates/builds-job-kernel-defconf.html
@@ -1,6 +1,6 @@
 {% extends 'base.html' %}
 {%- block meta -%}
-    <meta name="csrf-token" content="{{ csrf_token() }}">
+    <meta name="csrf-token" content="{{ csrf_token_r() }}">
 {%- endblock %}
 {%- block title %}{{ page_title|safe }}{%- endblock %}
 {%- block content %}
diff --git a/app/dashboard/templates/builds-job-kernel.html b/app/dashboard/templates/builds-job-kernel.html
index 31b7319..6ef8b79 100644
--- a/app/dashboard/templates/builds-job-kernel.html
+++ b/app/dashboard/templates/builds-job-kernel.html
@@ -1,6 +1,6 @@
 {% extends 'base.html' %}
 {%- block meta -%}
-    <meta name="csrf-token" content="{{ csrf_token() }}">
+    <meta name="csrf-token" content="{{ csrf_token_r() }}">
 {%- endblock %}
 {%- block title %}{{ page_title|safe }}{%- endblock %}
 {%- block head %}
diff --git a/app/dashboard/templates/index.html b/app/dashboard/templates/index.html
index ed6e29a..6a78109 100644
--- a/app/dashboard/templates/index.html
+++ b/app/dashboard/templates/index.html
@@ -1,6 +1,6 @@
 {% extends 'base.html' %}
 {%- block meta -%}
-    <meta name="csrf-token" content="{{ csrf_token() }}">
+    <meta name="csrf-token" content="{{ csrf_token_r() }}">
 {%- endblock %}
 {%- block title %}{{ page_title|safe }}{%- endblock %}
 {%- block content %}
diff --git a/app/dashboard/templates/jobs-all.html b/app/dashboard/templates/jobs-all.html
index 948d3d8..78584ab 100644
--- a/app/dashboard/templates/jobs-all.html
+++ b/app/dashboard/templates/jobs-all.html
@@ -1,6 +1,6 @@
 {% extends 'base.html' %}
 {%- block meta -%}
-    <meta name="csrf-token" content="{{ csrf_token() }}">
+    <meta name="csrf-token" content="{{ csrf_token_r() }}">
 {%- endblock %}
 {%- block title %}{{ page_title|safe }}{%- endblock %}
 {%- block head %}
diff --git a/app/dashboard/templates/jobs-job.html b/app/dashboard/templates/jobs-job.html
index 8700f08..a2affa6 100644
--- a/app/dashboard/templates/jobs-job.html
+++ b/app/dashboard/templates/jobs-job.html
@@ -1,6 +1,6 @@
 {%- extends 'base.html' %}
 {%- block meta -%}
-    <meta name="csrf-token" content="{{ csrf_token() }}">
+    <meta name="csrf-token" content="{{ csrf_token_r() }}">
 {%- endblock %}
 {%- block title %}{{ page_title|safe }}{%- endblock %}
 {%- block head %}