lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: use frozenset for SAFE_METHODS and extract SESSION_KEY constant

Browse source
This commit is contained in:
Johan Lundberg 2026-02-19 13:42:18 +01:00
parent f93290d43e
commit b5ea9950a2
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
1 changed files with 5 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/porchlight/csrf.py
View file

@ -10,7 +10,8 @@ from starlette.types import ASGIApp, Receive, Scope, Send
logger = logging.getLogger(__name__)
SAFE_METHODS = {"GET", "HEAD", "OPTIONS"}
SAFE_METHODS = frozenset({"GET", "HEAD", "OPTIONS"})
SESSION_KEY = "csrf_token"
def generate_csrf_token(request: Request) -> str:
@ -19,10 +20,10 @@ def generate_csrf_token(request: Request) -> str:
Stores the token at ``request.session["csrf_token"]``. Returns the
existing token when one is already present (idempotent per session).
"""
token: str | None = request.session.get("csrf_token")
token: str | None = request.session.get(SESSION_KEY)
if token is None:
token = secrets.token_urlsafe(32)
request.session["csrf_token"] = token
request.session[SESSION_KEY] = token
return token
@ -70,7 +71,7 @@ class CSRFMiddleware:
return
# Token validation
expected_token: str | None = request.session.get("csrf_token")
expected_token: str | None = request.session.get(SESSION_KEY)
# Check header first, then fall back to form field
submitted_token: str | None = request.headers.get("x-csrf-token")