diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py
--- a/kallithea/controllers/login.py
+++ b/kallithea/controllers/login.py
@@ -255,4 +255,4 @@ class LoginController(BaseController):
Only intended for testing but might also be useful for other kinds
of automation.
"""
- return h.authentication_token()
+ return h.session_csrf_secret_token()
diff --git a/kallithea/lib/base.py b/kallithea/lib/base.py
--- a/kallithea/lib/base.py
+++ b/kallithea/lib/base.py
@@ -366,8 +366,8 @@ class BaseController(TGController):
# where we allow side effects without ambient authority is when the
# authority comes from an API key; and that is handled above.
from kallithea.lib import helpers as h
- token = request.POST.get(h.token_key)
- if not token or token != h.authentication_token():
+ token = request.POST.get(h.session_csrf_secret_name)
+ if not token or token != h.session_csrf_secret_token():
log.error('CSRF check failed')
raise webob.exc.HTTPForbidden()
@@ -479,9 +479,9 @@ class BaseController(TGController):
# Make sure CSRF token never appears in the URL. If so, invalidate it.
from kallithea.lib import helpers as h
- if h.token_key in request.GET:
+ if h.session_csrf_secret_name in request.GET:
log.error('CSRF key leak detected')
- session.pop(h.token_key, None)
+ session.pop(h.session_csrf_secret_name, None)
session.save()
h.flash(_('CSRF token leak has been detected - all form tokens have been expired'),
category='error')
diff --git a/kallithea/lib/helpers.py b/kallithea/lib/helpers.py
--- a/kallithea/lib/helpers.py
+++ b/kallithea/lib/helpers.py
@@ -35,7 +35,7 @@ from webhelpers.html.tags import checkbo
select, submit, text, password, textarea, radio, form as insecure_form
from webhelpers.number import format_byte_size
from webhelpers.pylonslib import Flash as _Flash
-from webhelpers.pylonslib.secure_form import secure_form, authentication_token, token_key
+from webhelpers.pylonslib.secure_form import secure_form, authentication_token as session_csrf_secret_token, token_key as session_csrf_secret_name
from webhelpers.text import chop_at, truncate, wrap_paragraphs
from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \
convert_boolean_attrs, NotGiven, _make_safe_id_component
@@ -1275,8 +1275,9 @@ def ip_range(ip_addr):
def form(url, method="post", **attrs):
"""Like webhelpers.html.tags.form but automatically using secure_form with
- authentication_token for POST. authentication_token is thus never leaked
- in the URL."""
+ session_csrf_secret_token for POST. The secret is thus never leaked in
+ URLs.
+ """
if method.lower() == 'get':
return insecure_form(url, method=method, **attrs)
# webhelpers will turn everything but GET into POST
diff --git a/kallithea/model/user.py b/kallithea/model/user.py
--- a/kallithea/model/user.py
+++ b/kallithea/model/user.py
@@ -338,7 +338,7 @@ class UserModel(object):
log.debug('password reset user %s found', user)
token = self.get_reset_password_token(user,
timestamp,
- h.authentication_token())
+ h.session_csrf_secret_token())
# URL must be fully qualified; but since the token is locked to
# the current browser session, we must provide a URL with the
# current scheme and hostname, rather than the canonical_url.
@@ -391,7 +391,7 @@ class UserModel(object):
expected_token = self.get_reset_password_token(user,
timestamp,
- h.authentication_token())
+ h.session_csrf_secret_token())
log.debug('computed password reset token: %s', expected_token)
log.debug('received password reset token: %s', token)
return expected_token == token
diff --git a/kallithea/public/js/base.js b/kallithea/public/js/base.js
--- a/kallithea/public/js/base.js
+++ b/kallithea/public/js/base.js
@@ -408,7 +408,7 @@ var ajaxGET = function(url, success, fai
};
var ajaxPOST = function(url, postData, success, failure) {
- postData['_authentication_token'] = _authentication_token;
+ postData['_authentication_token'] = _session_csrf_secret_token;
var postData = _toQueryString(postData);
if(failure === undefined) {
failure = function(jqXHR, textStatus, errorThrown) {
@@ -458,7 +458,7 @@ var _onSuccessFollow = function(target){
var toggleFollowingRepo = function(target, follows_repository_id){
var args = 'follows_repository_id=' + follows_repository_id;
- args += '&_authentication_token=' + _authentication_token;
+ args += '&_authentication_token=' + _session_csrf_secret_token;
$.post(TOGGLE_FOLLOW_URL, args, function(data){
_onSuccessFollow(target);
});
@@ -466,7 +466,7 @@ var toggleFollowingRepo = function(targe
};
var showRepoSize = function(target, repo_name){
- var args = '_authentication_token=' + _authentication_token;
+ var args = '_authentication_token=' + _session_csrf_secret_token;
if(!$("#" + target).hasClass('loaded')){
$("#" + target).html(_TM['Loading ...']);
diff --git a/kallithea/templates/admin/gists/edit.html b/kallithea/templates/admin/gists/edit.html
--- a/kallithea/templates/admin/gists/edit.html
+++ b/kallithea/templates/admin/gists/edit.html
@@ -153,7 +153,7 @@
// check for newer version.
$.ajax({
url: ${h.js(h.url('edit_gist_check_revision', gist_id=c.gist.gist_access_id))},
- data: {'revision': ${h.js(c.file_changeset.raw_id)}, '_authentication_token': _authentication_token},
+ data: {'revision': ${h.js(c.file_changeset.raw_id)}, '_authentication_token': _session_csrf_secret_token},
dataType: 'json',
type: 'POST',
success: function(data) {
diff --git a/kallithea/templates/base/root.html b/kallithea/templates/base/root.html
--- a/kallithea/templates/base/root.html
+++ b/kallithea/templates/base/root.html
@@ -65,7 +65,7 @@
var REPO_NAME = ${h.js(c.repo_name)};
%endif
- var _authentication_token = ${h.js(h.authentication_token())};
+ var _session_csrf_secret_token = ${h.js(h.session_csrf_secret_token())};