added CSRF protection

app/http/middleware/CsrfMiddleware.py

@@ -0,0 +1,49 @@
+''' CSRF Middleware '''
+
+from masonite.exceptions import InvalidCSRFToken
+
+
+class CsrfMiddleware:
+ ''' Verify CSRF Token Middleware '''
+
+ exempt = []
+
+ def __init__(self, Request, Csrf, ViewClass):
+ self.request = Request
+ self.csrf = Csrf
+ self.view = ViewClass
+
+ def before(self):
+ token = self.__verify_csrf_token()
+
+ self.view.share({
+ 'csrf_field': "<input type='hidden' name='csrf_token' value='{0}' />".format(token)
+ })
+
+ def after(self):
+ pass
+
+ def __in_exempt(self):
+ """
+ Determine if the request has a URI that should pass
+ through CSRF verification.
+ """
+
+ if self.request.path in self.exempt:
+ return True
+ else:
+ return False
+
+ def __verify_csrf_token(self):
+ """
+ Verify si csrf token in post is valid.
+ """
+
+ if self.request.is_post() and not self.__in_exempt():
+ token = self.request.input('csrf_token')
+ if not self.csrf.verify_csrf_token(token):
+ raise InvalidCSRFToken("Invalid CSRF token.")
+ else:
+ token = self.csrf.generate_csrf_token()
+
+ return token

config/application.py

@@ -13,7 +13,7 @@
 |
 '''
 
-NAME = 'Masonite 1.3'
+NAME = 'Masonite 1.4'
 
 '''
 |--------------------------------------------------------------------------
@@ -81,6 +81,7 @@
  'masonite.providers.QueueProvider.QueueProvider',
  'masonite.providers.BroadcastProvider.BroadcastProvider',
  'masonite.providers.CacheProvider.CacheProvider',
+ 'masonite.providers.CsrfProvider.CsrfProvider',
 
  # Third Party Providers
 

config/middleware.py

@@ -13,6 +13,7 @@
 
 HTTP_MIDDLEWARE = [
  'app.http.middleware.LoadUserMiddleware.LoadUserMiddleware',
+ 'app.http.middleware.CsrfMiddleware.CsrfMiddleware',
 ]
 
 '''