penambahan csrf

opensipkd/base/__init__.py

 import locale
 import logging
 import re
-import os
-import colander
 
 try:
     from urllib import (urlencode, quote, quote_plus, )
@@ -21,6 +19,8 @@ from .security import (
     group_finder,
     get_user, MySecurityPolicy,
 )
+from pyramid.csrf import get_csrf_token
+
 from opensipkd.models import (
     DBSession,
     Base,
@@ -149,6 +149,7 @@ def add_global(event):
     event['change_unit'] = change_unit
     event['get_params'] = get_params
     event['get_urls'] = get_urls
+    event['get_csrf_token'] = get_csrf_token
 
 
 def get_params(params, alternate=None, settings=None):
@@ -180,6 +181,13 @@ def get_ini(request, var):
     return
 
 
+def get_password_strength(request):
+    settings = get_settings()
+    if 'password_strength' in settings and settings['password_strength']:
+        return settings['password_strength']
+    return True
+
+
 def get_ini_params(request, params=None, alternate=None, settings=None):
     """
     Digunakan untuk mengambil nilai dari konfigurasi sesuai params yang disebut
@@ -197,9 +205,9 @@ def get_id_card_folder(ext=None):
     folder = get_params("partner_idcard_folder", '/tmp/idcard')
     if ext:
         if ext and os.sep != '/':
-            ext = ext.replace('/','\\')
-        if not os.path.exists(folder+ext):
-            os.makedirs(folder+ext)
+            ext = ext.replace('/', '\\')
+        if not os.path.exists(folder + ext):
+            os.makedirs(folder + ext)
         return folder + ext
     return folder
 
@@ -431,7 +439,7 @@ def main(global_config, **settings):
         None: {"js": "opensipkd.base:static/jquery/jquery.maskMoney.min.js"}}
 
     engine = engine_from_config(
-        settings, 'sqlalchemy.', client_encoding='utf8') #, convert_unicode=True
+        settings, 'sqlalchemy.', client_encoding='utf8')  # , convert_unicode=True
     DBSession.configure(bind=engine)
     LogDBSession.configure(bind=engine)
     Base.metadata.bind = engine
@@ -448,6 +456,7 @@ def main(global_config, **settings):
     config = Configurator(settings=settings,
                           root_factory='opensipkd.models.RootFactory',
                           session_factory=session_factory)
+    config.set_default_csrf_options(require_csrf=True)
     modules = get_modules(settings)
     from importlib import import_module
     for module in modules:
@@ -488,6 +497,8 @@ def main(global_config, **settings):
     config.add_request_method(disable_responsive, 'disable_responsive',
                               reify=True)
     config.add_request_method(get_ini, 'get_ini', reify=True)
+    config.add_request_method(get_csrf_token, 'get_csrf_token', reify=True)
+
     config.add_translation_dirs('opensipkd.base:locale/')
 
     config.add_static_view('static', 'opensipkd.base:static',

opensipkd/base/views/user_login.py

@@ -25,26 +25,24 @@ from datetime import timedelta, datetime
 from importlib import import_module
 
 import colander
-import requests
 from deform import widget, Form, ValidationFailure, Button
-from icecream import ic
+from pyramid.csrf import new_csrf_token
 from pyramid.httpexceptions import HTTPFound, HTTPNotFound
 from pyramid.renderers import render_to_response
 from pyramid.security import remember, forget
 from pyramid.view import view_config
+from pyramid_mailer.message import Message
 from ziggurat_foundations.models.services.external_identity import \
     ExternalIdentityService
 from ziggurat_foundations.models.services.user import UserService
 
 from opensipkd.base import DBSession, get_params
+from opensipkd.base.views import _, one_hour, two_minutes, BaseView
 from opensipkd.models import User, ExternalIdentity, Partner
 from opensipkd.tools import create_now, set_user_log, get_settings
-from opensipkd.base.views import _, one_hour, two_minutes, BaseView
-from pyramid_mailer.message import Message
-
 from opensipkd.tools.buttons import btn_cancel
-from opensipkd.tools.form_api import formfield2dict
 from .. import get_urls
+
 log = __import__("logging").getLogger(__name__)
 
 
@@ -59,6 +57,19 @@ class Login(colander.Schema):
     password = colander.SchemaNode(
         colander.String(), widget=widget.PasswordWidget())
 
+    # csrf_token = colander.SchemaNode(
+    #     colander.String(),
+    # )
+
+    def after_bind(self, schema, kwargs):
+        request = kwargs["request"]
+        csrf_token = new_csrf_token(request)
+        log.error(csrf_token)
+        self["csrf_token"] = colander.SchemaNode(
+            colander.String(), widget=widget.HiddenWidget(),
+            default=csrf_token
+        )
+
 
 # http://deformdemo.repoze.org/interfield/
 def login_validator(form, value):
@@ -174,7 +185,8 @@ class ViewLogin(BaseView):
             request.session.flash('Anda sudah login', 'error')
             return HTTPFound(location=get_urls(f"{request.route_url('home')}"))
 
-        schema = Login(validator=login_validator)
+        schema = Login()
+        schema = schema.bind(request=self.req)
         form = Form(schema, buttons=('login',))
         message = ""
         if 'login' in request.POST:
@@ -190,6 +202,7 @@ class ViewLogin(BaseView):
                 return HTTPFound(location=get_urls(request.route_url('login')))
 
             values = dict(c)
+
             # start cek external module
             pckgs = get_params('external-uim')
             if user:
@@ -245,7 +258,7 @@ class ViewLogin(BaseView):
                 return HTTPFound(location=get_urls(request.route_url('login')))
             if user and user.status == 1:
                 return redirect_login(request, user)
-
+        # values = {"csrf_token": new_csrf_token(request)}
         login = ""
         if login_tpl == 'templates/login.pt':
             return dict(form=form.render(),
@@ -290,7 +303,7 @@ btn_home = Button("home", css_class="btn-success")
 
 
 class Logout(BaseView):
-    @view_config(route_name='logout', renderer="templates/logout.pt")
+    @view_config(route_name='logout', renderer="templates/logout.pt", require_csrf=False)
     def view_logout(self):
         request = self.req
         if not request.user:
@@ -311,6 +324,7 @@ class Logout(BaseView):
             if "g_state" in request.cookies:
                 request.response.delete_cookie("g_state", '/')
             form.set_appstruct({"message": "Sukses Logout"})
+            request.session["login"] = False
 
         return dict(form=form.render())
 
@@ -319,10 +333,10 @@ class ChangePassword(colander.Schema):
     new_password = colander.SchemaNode(
         colander.String(), widget=widget.CheckedPasswordWidget())
     # retype_password = colander.SchemaNode(
-        # colander.String(), widget=widget.PasswordWidget())
+    # colander.String(), widget=widget.PasswordWidget())
     # password = colander.SchemaNode(colander.String(),
-                                   # widget=widget.PasswordWidget(),
-                                   # title=_("Old Password"))
+    # widget=widget.PasswordWidget(),
+    # title=_("Old Password"))
 
 
 def change_password_validator(form, value):
@@ -330,13 +344,13 @@ def change_password_validator(form, value):
     # exc = colander.Invalid(form, '')
     # user = form.request.user
     # if not UserService.check_password(user, value["password"]):
-        # exc["password"] = 'Login Failed'
-        # raise exc
+    # exc["password"] = 'Login Failed'
+    # raise exc
 
     # if value['new_password'] != value['retype_password']:
-        # exc["new_password"] = 'Retype mismatch.'
-        # exc["retype_password"] = 'Retype mismatch.'
-        # raise exc
+    # exc["new_password"] = 'Retype mismatch.'
+    # exc["retype_password"] = 'Retype mismatch.'
+    # raise exc
 
 
 @view_config(route_name='change-password',

opensipkd/base/views/widgets/password.pt

-<tal:block tal:define="name name|field.name;
-                       oid oid|field.oid;">
+<tal:block tal:define="
+    name name|field.name;
+    oid oid|field.oid;
+    ">
 <div class="input">
   <input
     type="password"
     name="${name}"
-    onkeyup="checkPasswordStrength${oid}();"
     value="${field.widget.redisplay and cstruct or ''}"
     tal:attributes="style style|field.widget.style;
                     class string: form-control ${css_class|field.widget.css_class or ''};
                     attributes|field.widget.attributes|{};"
     id="${oid}"/>
+<!--?  onkeyup="checkPasswordStrength${oid}();"-->
+
   <div class="checkbox">
       <label>
       <input type="checkbox" id="view${oid}">

requires.txt

@@ -16,7 +16,6 @@ psycopg2-binary
 alembic>=0.3.4
 pytz
 sqlalchemy-datatables
-z3c.rml
 py3o.template
 wheezy.captcha
 google-api-python-client

setup.py

@@ -35,8 +35,8 @@ requires = [
     'google-api-python-client',
     'google',
     'pyjwt',
-    'z3c.rml',
-    'opensipkd-tools @git+https://git.opensipkd.com/aa.gusti/opensipkd-tools.git',
+    # 'z3c.rml',
+    # 'opensipkd-tools @git+https://git.opensipkd.com/aa.gusti/opensipkd-tools.git',
 ]
 
 dev_requires = [