Add base CSRF extension

[djdduty]

• [x] Optional configuration of cookie settings and secret to select cookie-based interaction vs. session-based.
• [x] Request a new binary token: bytes(context.csrf) (Python 3)
• [x] Request a new hex-encoded token: str(context.csrf) (same)
• [x] Either of the previous two operations might require the generation of a new per-session (or per-cookie) secret, setting a session value or a cookie on the response respectively.
  • [ ] Cookie (session cookie; must not allow duration configuration, must require HTTP-only, and warn if HTTPS-only is not enabled outside of development) storage of signed secret.
  • [x] Session attribute storage of CSRF token. (Assignment of an object with both __str__ and __bytes__ to allow for flexible session configuration on that side of things.)
• [x] Verify a token: context.csrf(token) — returns True or False. No token, shouldn't trigger the generation of.
• [x] Require a valid token: @when(when.csrf) (or direct use of class in __acl__ assignment)
• [ ] (Bonus points.) "Secure form" generation within cinje or another template engine: ${context.csrf} → context.csrf.__html__() → <input type="hidden" name="_csrf" value="${str(token)}">

Still needs improvements to the actual CSRF check (referer checking and such).

[codecov-io]

Codecov Report

Merging #2 into develop will decrease coverage by -41.2%. The diff coverage is 0%.

@@            Coverage Diff             @@
##           develop      #2      +/-   ##
==========================================
- Coverage      100%   58.8%   -41.2%     
==========================================
  Files            4       7       +3     
  Lines          167     284     +117     
==========================================
  Hits           167     167              
- Misses           0     117     +117

Impacted Files	Coverage Δ
web/security/csrf.py	0% <0%> (ø)
web/security/permission.py	0% <0%> (ø)
web/security/release.py	0% <0%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 4119bab...846b559. Read the comment docs.

[amcgregor]

So, after an initial look-over I see the user_* stuff as being methods on the CSRFHandler, and that handler should be lazily bound to the context at start, not on each prepare. The method can then be moved from the extension to the handler.

There is a repeating pattern, here, of signers with secrets that sign new signers. To illustrate:

A form's token is a combination of "{32 byte random value}{SHA256 HMAC}", the HMAC is signed using the user's secret (from cookie or session). If a cookie, it's a signed combination of "{32 byte random value}{SHA256 HMAC}", the HMAC is signed using the application's CSRF secret. The token / token factory thing seems to warrant its own reusable type.

[djdduty]

The now included csrf ext appears better documented, and likely better designed, going to close this but keep the code around for future reference in case modification of the included extension is needed.