Closed Bug 756224 Opened 12 years ago Closed 12 years ago

add central storage to balrog admin app to share csrf tokens (and maybe other things)

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: bhearsum, Assigned: bhearsum)

References

Details

Right now, Flask is merely holding the CSRF tokens that WTForms generates in memory. We need these in a shared storage, otherwise things will only work when you fluke out and POST/PUT/DELETE to the same server you got the token from. We can probably use redis or memcached for this. Worst case scenario, another table in the db will do it.
I was digging around last night and I'm 99% sure we don't need this. WTForms' CSRF validation calculates an HMAC digest based on a secret key. For us, that secret key is set in admin.ini and consistent across webheads.

https://bitbucket.org/simplecodes/wtforms/src/64016474112e/wtforms/ext/csrf/session.py#cl-54
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → Release Engineering
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.