Add ANON_ALWAYS setting that enables CSRF protection for all anonymous views.

Author: Jody McIntyre

README.rst

@@ -90,6 +90,15 @@ anonymous view is protected through a CAPTCHA, for example.
  ...
 
 
+If you want all views to have CSRF protection for anonymous users, use
+the following setting:
+
+ ``ANON_ALWAYS``
+ always provide CSRF protection for anonymous users
+
+ Default: False
+
+
 Why do I want this?
 -------------------
 

session_csrf/__init__.py

@@ -10,6 +10,7 @@
 
 ANON_COOKIE = getattr(settings, 'ANON_COOKIE', 'anoncsrf')
 ANON_TIMEOUT = getattr(settings, 'ANON_TIMEOUT', 60 * 60 * 2) # 2 hours.
+ANON_ALWAYS = getattr(settings, 'ANON_ALWAYS', False)
 
 
 # This overrides django.core.context_processors.csrf to dump our csrf_token
@@ -43,11 +44,20 @@ def process_request(self, request):
  request.csrf_token = request.session['csrf_token'] = token
  else:
  request.csrf_token = request.session['csrf_token']
- elif ANON_COOKIE in request.COOKIES:
- key = request.COOKIES[ANON_COOKIE]
- request.csrf_token = cache.get(key, '')
  else:
- request.csrf_token = ''
+ key = None
+ token = ''
+ if ANON_COOKIE in request.COOKIES:
+ key = request.COOKIES[ANON_COOKIE]
+ token = cache.get(key, '')
+ if ANON_ALWAYS:
+ if not key:
+ key = django_csrf._get_new_csrf_key()
+ if not token:
+ token = django_csrf._get_new_csrf_key()
+ request._anon_csrf_key = key
+ cache.set(key, token, ANON_TIMEOUT)
+ request.csrf_token = token
 
  def process_view(self, request, view_func, args, kwargs):
  """Check the CSRF token if this is a POST."""
@@ -89,13 +99,22 @@ def process_view(self, request, view_func, args, kwargs):
  else:
  return self._accept(request)
 
+ def process_response(self, request, response):
+ if hasattr(request, '_anon_csrf_key'):
+ # Set or reset the cache and cookie timeouts.
+ response.set_cookie(ANON_COOKIE, request._anon_csrf_key,
+ max_age=ANON_TIMEOUT, httponly=True,
+ secure=request.is_secure())
+ patch_vary_headers(response, ['Cookie'])
+ return response
+
 
 def anonymous_csrf(f):
  """Decorator that assigns a CSRF token to an anonymous user."""
  @functools.wraps(f)
  def wrapper(request, *args, **kw):
- anon = not request.user.is_authenticated()
- if anon:
+ use_anon_cookie = not (request.user.is_authenticated() or ANON_ALWAYS)
+ if use_anon_cookie:
  if ANON_COOKIE in request.COOKIES:
  key = request.COOKIES[ANON_COOKIE]
  token = cache.get(key) or django_csrf._get_new_csrf_key()
@@ -105,7 +124,7 @@ def wrapper(request, *args, **kw):
  cache.set(key, token, ANON_TIMEOUT)
  request.csrf_token = token
  response = f(request, *args, **kw)
- if anon:
+ if use_anon_cookie:
  # Set or reset the cache and cookie timeouts.
  response.set_cookie(ANON_COOKIE, key, max_age=ANON_TIMEOUT,
  httponly=True, secure=request.is_secure())

session_csrf/tests.py

@@ -1,3 +1,5 @@
+from contextlib import contextmanager
+
 import django.test
 from django import http
 from django.conf.urls.defaults import patterns
@@ -12,6 +14,7 @@
 
 import mock
 
+import session_csrf
 from session_csrf import CsrfMiddleware, anonymous_csrf, anonymous_csrf_exempt
 
 
@@ -28,6 +31,11 @@ class TestCsrfToken(django.test.TestCase):
  def setUp(self):
  self.client.handler = ClientHandler()
  User.objects.create_user('jbalogh', 'j@moz.com', 'password')
+ self.save_ANON_ALWAYS = session_csrf.ANON_ALWAYS
+ session_csrf.ANON_ALWAYS = False
+
+ def tearDown(self):
+ session_csrf.ANON_ALWAYS = self.save_ANON_ALWAYS
 
  def login(self):
  assert self.client.login(username='jbalogh', password='password')
@@ -155,6 +163,11 @@ def setUp(self):
  self.rf = django.test.RequestFactory()
  User.objects.create_user('jbalogh', 'j@moz.com', 'password')
  self.client.handler = ClientHandler(enforce_csrf_checks=True)
+ self.save_ANON_ALWAYS = session_csrf.ANON_ALWAYS
+ session_csrf.ANON_ALWAYS = False
+
+ def tearDown(self):
+ session_csrf.ANON_ALWAYS = self.save_ANON_ALWAYS
 
  def login(self):
  assert self.client.login(username='jbalogh', password='password')
@@ -238,6 +251,82 @@ def test_anonymous_csrf_exempt(self):
  self.assertEqual(response.status_code, 403)
 
 
+class TestAnonAlways(django.test.TestCase):
+ # Repeats some tests with ANON_ALWAYS = True
+ urls = 'session_csrf.tests'
+
+ def setUp(self):
+ self.token = 'a' * 32
+ self.rf = django.test.RequestFactory()
+ User.objects.create_user('jbalogh', 'j@moz.com', 'password')
+ self.client.handler = ClientHandler(enforce_csrf_checks=True)
+ self.save_ANON_ALWAYS = session_csrf.ANON_ALWAYS
+ session_csrf.ANON_ALWAYS = True
+
+ def tearDown(self):
+ session_csrf.ANON_ALWAYS = self.save_ANON_ALWAYS
+
+ def login(self):
+ assert self.client.login(username='jbalogh', password='password')
+
+ def test_csrftoken_unauthenticated(self):
+ # request.csrf_token is set for anonymous users
+ # when ANON_ALWAYS is enabled.
+ response = self.client.get('/', follow=True)
+ # The CSRF token is a 32-character MD5 string.
+ self.assertEqual(len(response._request.csrf_token), 32)
+
+ def test_authenticated_request(self):
+ # Nothing special happens, nothing breaks.
+ # Find the CSRF token in the session.
+ self.login()
+ response = self.client.get('/', follow=True)
+ sessionid = response.cookies['sessionid'].value
+ session = Session.objects.get(session_key=sessionid)
+ token = session.get_decoded()['csrf_token']
+
+ response = self.client.post('/', follow=True, HTTP_X_CSRFTOKEN=token)
+ self.assertEqual(response.status_code, 200)
+
+ def test_unauthenticated_request(self):
+ # We get a 403 since we're not sending a token.
+ response = self.client.post('/')
+ self.assertEqual(response.status_code, 403)
+
+ def test_new_anon_token_on_request(self):
+ # A new anon user gets a key+token on the request and response.
+ response = self.client.get('/')
+ # Get the key from the cookie and find the token in the cache.
+ key = response.cookies['anoncsrf'].value
+ self.assertEqual(response._request.csrf_token, cache.get(key))
+
+ def test_existing_anon_cookie_on_request(self):
+ # We reuse an existing anon cookie key+token.
+ response = self.client.get('/')
+ key = response.cookies['anoncsrf'].value
+
+ # Now check that subsequent requests use that cookie.
+ response = self.client.get('/')
+ self.assertEqual(response.cookies['anoncsrf'].value, key)
+ self.assertEqual(response._request.csrf_token, cache.get(key))
+ self.assertEqual(response['Vary'], 'Cookie')
+
+ def test_anon_csrf_logout(self):
+ # Beware of views that logout the user.
+ self.login()
+ response = self.client.get('/logout')
+ self.assertEqual(response.status_code, 200)
+
+ def test_existing_anon_cookie_not_in_cache(self):
+ response = self.client.get('/')
+ self.assertEqual(len(response._request.csrf_token), 32)
+
+ # Clear cache and make sure we still get a token
+ cache.clear()
+ response = self.client.get('/')
+ self.assertEqual(len(response._request.csrf_token), 32)
+
+
 class ClientHandler(django.test.client.ClientHandler):
  """
  Handler that stores the real request object on the response.