Your probably right, if there's an unexpired session and the user visits pages with links that trick the user into performing some action.
I revisited that and found that it was loosing the token after using the validate decorator. So had to be sure to use the authenticate_token decorator after using the validate decorator. http://stackoverflow.com/questions/2981555/using-pylons-validate-and-authenticate-form-decorator In the tests I still use use a request to get the form with a token and then fill in values to post. I do not need to use a request to just get the token any more. On Tue, Oct 5, 2010 at 11:34 PM, Ryan McKillen <[email protected]>wrote: > If the auth token is available via some other URL, doesn't the defeat the > point? The site attempting to forge could go to that same URL, get the > token, then forge the request. > > > On Tue, Oct 5, 2010 at 12:58 AM, Ian Jamieson <[email protected]>wrote: > >> I don't know enought to answer, I can only give an example of how I tested >> forms with auth tokens. >> This is a few months ago now, so I'm a bit fuzzy on why I did it like this >> and hope others have better examples. >> >> In routing.py: >> map.connect('authToken', '/accounts/authtoken', >> controller='accounts', action='authToken') >> >> That authToken action uses authentication_token() >> from webhelpers.pylonslib.secure_form >> >> In the test two requests happen, one to get the form and one to get the >> auth token. >> .... >> def test_exampletest(self): >> #1 get form >> response = self.app.get(url('urlThatReturnsTheForm')) >> resendForm = response.forms.get('FormName') >> resendForm.set(u'fieldName', 'ValueToSet') >> >> #2 get auth token, and put in it the form >> authTokenResponse = self.app.get(url('authToken')) >> resendForm.set(u'_authentication_token', authTokenResponse.body) >> response3 = resendForm.submit() >> .... >> >> >> If I remember correctly, the reason why there is a route just for getting >> the auth token is because some times a user would submit a form with an >> error or hit the back button and return to the form with a now stale auth >> token, so some javascript was used to always get a new token whenever a form >> was shown. >> >> Just my two cents, I think others on here might have better suggestions. >> Ian >> >> >> On Tue, Oct 5, 2010 at 1:12 PM, Ryan <[email protected]> wrote: >> >>> I'm using: >>> from pylons.decorators.secure import authenticate_form >>> >>> And the decorator: >>> @authenticate_form >>> >>> I started off decorating both the action the renders the form (edit), >>> and the action that handles the form (update). But that prevented the >>> form from even loading (403 on account of CSF), so I moved the >>> decorator exclusively to the handler action. >>> >>> Seems to work, but I have a question: I don't understanding how merely >>> importing authenticate_form and decorating my update action magically >>> creates an "_authentication_token" hidden field on the form rendered >>> by the non-decorated edit action. Can someone explain? >>> >>> Second question: While the authenticity token works, my functional >>> tests now fail. Can someone give an example of how to functionally >>> test a form that uses authenticity tokens? >>> >>> Thanks. >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "pylons-discuss" group. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]<pylons-discuss%[email protected]> >>> . >>> For more options, visit this group at >>> http://groups.google.com/group/pylons-discuss?hl=en. >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "pylons-discuss" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<pylons-discuss%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/pylons-discuss?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<pylons-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
