o [hC @sldZddlmZddlZddlZddlmZddlmZmZddl m Z dd l m Z d Z Gd d d e ZdS) a A provided CSRF implementation which puts CSRF data in a session. This can be used fairly comfortably with many `request.session` type objects, including the Werkzeug/Flask session store, Django sessions, and potentially other similar objects which use a dict-like API for storing session keys. The basic concept is a randomly generated value is stored in the user's session, and an hmac-sha1 of it (along with an optional expiration time, for extra security) is used as the value of the csrf_token. If this token validates with the hmac of the random value + expiration time, and the expiration time is not passed, the CSRF validation will pass. )unicode_literalsN)sha1)datetime timedelta)ValidationError) SecureForm)SessionSecureFormc@s.eZdZdZeddZdZddZddZdS) r z %Y%m%d%H%M%S)minutesNcCs|jdur td|durtdt|d|}d|vr&ttd|d<|d|j_ |j rCt |j  |j}d|d|f}nd}|d}tj|j|dtd }d ||fS) Nz=must set SECRET_KEY in a subclass of this form for it to workz2Must provide a session-like object as csrf contextsessionZcsrf@z%s%sutf8 digestmodz%s##%s) SECRET_KEY Exception TypeErrorgetattrrosurandom hexdigestZ csrf_tokencsrf_key TIME_LIMITrnowstrftime TIME_FORMAThmacnewencode)selfZ csrf_contextr expiresZ csrf_build hmac_csrfr%/home/ubuntu/experiments/live_experiments/Pythonexperiments/Otree/venv/lib/python3.10/site-packages/wtforms/ext/csrf/session.pygenerate_csrf_token"s   z%SessionSecureForm.generate_csrf_tokencCs|jrd|jvrt|d|jd\}}|j|d}tj|j|t d}| |kr5t|d|j rKt |j}||krMt|ddSdS)Nz##zCSRF token missingrrz CSRF failedzCSRF token expired)datargettextsplitrr!rr rrrrrrrr)r"fieldr#r$Z check_valZ hmac_compareZ now_formattedr%r%r&validate_csrf_token8s z%SessionSecureForm.validate_csrf_token) __name__ __module__ __qualname__rrrrr'r,r%r%r%r&r s   r )__doc__ __future__rrrhashlibrrrZ validatorsrformr __all__r r%r%r%r&s