If the auth token is available via some other URL, doesn't the defeat the point? The site attempting to forge could go to that same URL, get the token, then forge the request.
On Tue, Oct 5, 2010 at 12:58 AM, Ian Jamieson <[email protected]> wrote: > I don't know enought to answer, I can only give an example of how I tested > forms with auth tokens. > This is a few months ago now, so I'm a bit fuzzy on why I did it like this > and hope others have better examples. > > In routing.py: > map.connect('authToken', '/accounts/authtoken', > controller='accounts', action='authToken') > > That authToken action uses authentication_token() > from webhelpers.pylonslib.secure_form > > In the test two requests happen, one to get the form and one to get the > auth token. > .... > def test_exampletest(self): > #1 get form > response = self.app.get(url('urlThatReturnsTheForm')) > resendForm = response.forms.get('FormName') > resendForm.set(u'fieldName', 'ValueToSet') > > #2 get auth token, and put in it the form > authTokenResponse = self.app.get(url('authToken')) > resendForm.set(u'_authentication_token', authTokenResponse.body) > response3 = resendForm.submit() > .... > > > If I remember correctly, the reason why there is a route just for getting > the auth token is because some times a user would submit a form with an > error or hit the back button and return to the form with a now stale auth > token, so some javascript was used to always get a new token whenever a form > was shown. > > Just my two cents, I think others on here might have better suggestions. > Ian > > > On Tue, Oct 5, 2010 at 1:12 PM, Ryan <[email protected]> wrote: > >> I'm using: >> from pylons.decorators.secure import authenticate_form >> >> And the decorator: >> @authenticate_form >> >> I started off decorating both the action the renders the form (edit), >> and the action that handles the form (update). But that prevented the >> form from even loading (403 on account of CSF), so I moved the >> decorator exclusively to the handler action. >> >> Seems to work, but I have a question: I don't understanding how merely >> importing authenticate_form and decorating my update action magically >> creates an "_authentication_token" hidden field on the form rendered >> by the non-decorated edit action. Can someone explain? >> >> Second question: While the authenticity token works, my functional >> tests now fail. Can someone give an example of how to functionally >> test a form that uses authenticity tokens? >> >> Thanks. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pylons-discuss" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<pylons-discuss%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/pylons-discuss?hl=en. >> >> > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<pylons-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
