From 3c074948094c7e2ab897d4e4e2e17c513ce63613 Mon Sep 17 00:00:00 2001 From: Thomas Sileo Date: Fri, 9 Jun 2023 22:22:37 +0200 Subject: [PATCH] Make CSRF expiration configurable and increase default value --- app/config.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/config.py b/app/config.py index fe691d7..1cd593c 100644 --- a/app/config.py +++ b/app/config.py @@ -124,6 +124,7 @@ class Config(pydantic.BaseModel): key_path: str | None = None session_timeout: int = 3600 * 24 * 3 # in seconds, 3 days by default + csrf_token_exp: int = 3600 disabled_notifications: list[str] = [] @@ -263,7 +264,7 @@ def verify_csrf_token( if redirect_url: please_try_again = f'please try again' try: - csrf_serializer.loads(csrf_token, max_age=1800) + csrf_serializer.loads(csrf_token, max_age=CONFIG.csrf_token_exp) except (itsdangerous.BadData, itsdangerous.SignatureExpired): logger.exception("Failed to verify CSRF token") raise HTTPException(