automatic import of python-asgi-csrf

3 files changed, 394 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index e69de29..e00f15b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/asgi-csrf-0.9.tar.gz
diff --git a/python-asgi-csrf.spec b/python-asgi-csrf.spec
new file mode 100644
index 0000000..768eb2c
--- /dev/null
+++ b/python-asgi-csrf.spec
@@ -0,0 +1,392 @@
+%global _empty_manifest_terminate_build 0
+Name:		python-asgi-csrf
+Version:	0.9
+Release:	1
+Summary:	ASGI middleware for protecting against CSRF attacks
+License:	Apache License, Version 2.0
+URL:		https://github.com/simonw/asgi-csrf
+Source0:	https://mirrors.nju.edu.cn/pypi/web/packages/29/9c/13d880d7ebe13956c037864eb7ac9dbcd0260d4c47844786f07ccca897e1/asgi-csrf-0.9.tar.gz
+BuildArch:	noarch
+
+Requires:	python3-itsdangerous
+Requires:	python3-multipart
+Requires:	python3-pytest
+Requires:	python3-pytest-asyncio
+Requires:	python3-httpx
+Requires:	python3-starlette
+Requires:	python3-pytest-cov
+Requires:	python3-asgi-lifespan
+
+%description
+# asgi-csrf
+
+[![PyPI](https://img.shields.io/pypi/v/asgi-csrf.svg)](https://pypi.org/project/asgi-csrf/)
+[![Changelog](https://img.shields.io/github/v/release/simonw/asgi-csrf?include_prereleases&label=changelog)](https://github.com/simonw/asgi-csrf/releases)
+[![codecov](https://codecov.io/gh/simonw/asgi-csrf/branch/main/graph/badge.svg)](https://codecov.io/gh/simonw/asgi-csrf)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/simonw/asgi-csrf/blob/main/LICENSE)
+
+ASGI middleware for protecting against CSRF attacks
+
+## Installation
+
+    pip install asgi-csrf
+
+## Background
+
+See the [OWASP guide to Cross Site Request Forgery (CSRF)](https://owasp.org/www-community/attacks/csrf) and their [Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html).
+
+This middleware implements the [Double Submit Cookie pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie), where a cookie is set that is then compared to a `csrftoken` hidden form field or a `x-csrftoken` HTTP header.
+
+## Usage
+
+Decorate your ASGI application like this:
+
+```python
+from asgi_csrf import asgi_csrf
+from .my_asgi_app import app
+
+
+app = asgi_csrf(app, signing_secret="secret-goes-here")
+```
+
+The middleware will set a `csrftoken` cookie, if one is missing. The value of that token will be made available to your ASGI application through the `scope["csrftoken"]` function.
+
+Your application code should include that value as a hidden form field in any POST forms:
+
+```html
+<form action="/login" method="POST">
+    ...
+    <input type="hidden" name="csrftoken" value="{{ request.scope.csrftoken() }}">
+</form>
+```
+
+Note that `request.scope["csrftoken"]()` is a function that returns a string. Calling that function also lets the middleware know that the cookie should be set by that page, if the user does not already have that cookie.
+
+If the cookie needs to be set, the middleware will add a `Vary: Cookie` header to the response to ensure it is not incorrectly cached by any CDNs or intermediary proxies.
+
+The middleware will return a 403 forbidden error for any POST requests that do not include the matching `csrftoken` - either in the POST data or in a `x-csrftoken` HTTP header (useful for JavaScript `fetch()` calls).
+
+The `signing_secret` is used to sign the tokens, to protect against subdomain vulnerabilities.
+
+If you do not pass in an explicit `signing_secret` parameter, the middleware will look for a `ASGI_CSRF_SECRET` environment variable.
+
+If it cannot find that environment variable, it will generate a random secret which will persist for the lifetime of the server.
+
+This means that if you do not configure a specific secret your user's `csrftoken` cookies will become invalid every time the server restarts! You should configure a secret.
+
+## Always setting the cookie if it is not already set
+
+By default this middleware only sets the `csrftoken` cookie if the user encounters a page that needs it - due to that page calling the `request.scope["csrftoken"]()` function, for example to populate a hidden field in a form.
+
+If you would like the middleware to set that cookie for any incoming request that does not already provide the cookie, you can use the `always_set_cookie=True` argument:
+
+```python
+app = asgi_csrf(app, signing_secret="secret-goes-here", always_set_cookie=True)
+```
+
+## Other cases that skip CSRF protection
+
+If the request includes an `Authorization: Bearer ...` header, commonly used by OAuth and JWT authentication, the request will not be required to include a CSRF token. This is because browsers cannot send those headers in a context that can be abused.
+
+If the request has no cookies at all it will be allowed through, since CSRF protection is only necessary for requests from authenticated users.
+
+### always_protect
+
+If you have paths that should always be protected even without cookies - your login form for example (to avoid [login CSRF](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf) attacks) you can protect those paths by passing them as the ``always_protect`` parameter:
+
+```python
+app = asgi_csrf(
+    app,
+    signing_secret="secret-goes-here",
+    always_protect={"/login"}
+)
+```
+
+### skip_if_scope
+
+There may be situations in which you want to opt-out of CSRF protection even for authenticated POST requests - this is often the case for web APIs for example.
+
+The `skip_if_scope=` parameter can be used to provide a callback function which is passed an ASGI scope and returns `True` if CSRF protection should be skipped for that request.
+
+This example skips CSRF protection for any incoming request where the request path starts with `/api/`:
+
+```python
+def skip_api_paths(scope)
+    return scope["path"].startswith("/api/")
+
+app = asgi_csrf(
+    app,
+    signing_secret="secret-goes-here",
+    skip_if_scope=skip_api_paths
+)
+```
+
+
+
+
+%package -n python3-asgi-csrf
+Summary:	ASGI middleware for protecting against CSRF attacks
+Provides:	python-asgi-csrf
+BuildRequires:	python3-devel
+BuildRequires:	python3-setuptools
+BuildRequires:	python3-pip
+%description -n python3-asgi-csrf
+# asgi-csrf
+
+[![PyPI](https://img.shields.io/pypi/v/asgi-csrf.svg)](https://pypi.org/project/asgi-csrf/)
+[![Changelog](https://img.shields.io/github/v/release/simonw/asgi-csrf?include_prereleases&label=changelog)](https://github.com/simonw/asgi-csrf/releases)
+[![codecov](https://codecov.io/gh/simonw/asgi-csrf/branch/main/graph/badge.svg)](https://codecov.io/gh/simonw/asgi-csrf)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/simonw/asgi-csrf/blob/main/LICENSE)
+
+ASGI middleware for protecting against CSRF attacks
+
+## Installation
+
+    pip install asgi-csrf
+
+## Background
+
+See the [OWASP guide to Cross Site Request Forgery (CSRF)](https://owasp.org/www-community/attacks/csrf) and their [Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html).
+
+This middleware implements the [Double Submit Cookie pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie), where a cookie is set that is then compared to a `csrftoken` hidden form field or a `x-csrftoken` HTTP header.
+
+## Usage
+
+Decorate your ASGI application like this:
+
+```python
+from asgi_csrf import asgi_csrf
+from .my_asgi_app import app
+
+
+app = asgi_csrf(app, signing_secret="secret-goes-here")
+```
+
+The middleware will set a `csrftoken` cookie, if one is missing. The value of that token will be made available to your ASGI application through the `scope["csrftoken"]` function.
+
+Your application code should include that value as a hidden form field in any POST forms:
+
+```html
+<form action="/login" method="POST">
+    ...
+    <input type="hidden" name="csrftoken" value="{{ request.scope.csrftoken() }}">
+</form>
+```
+
+Note that `request.scope["csrftoken"]()` is a function that returns a string. Calling that function also lets the middleware know that the cookie should be set by that page, if the user does not already have that cookie.
+
+If the cookie needs to be set, the middleware will add a `Vary: Cookie` header to the response to ensure it is not incorrectly cached by any CDNs or intermediary proxies.
+
+The middleware will return a 403 forbidden error for any POST requests that do not include the matching `csrftoken` - either in the POST data or in a `x-csrftoken` HTTP header (useful for JavaScript `fetch()` calls).
+
+The `signing_secret` is used to sign the tokens, to protect against subdomain vulnerabilities.
+
+If you do not pass in an explicit `signing_secret` parameter, the middleware will look for a `ASGI_CSRF_SECRET` environment variable.
+
+If it cannot find that environment variable, it will generate a random secret which will persist for the lifetime of the server.
+
+This means that if you do not configure a specific secret your user's `csrftoken` cookies will become invalid every time the server restarts! You should configure a secret.
+
+## Always setting the cookie if it is not already set
+
+By default this middleware only sets the `csrftoken` cookie if the user encounters a page that needs it - due to that page calling the `request.scope["csrftoken"]()` function, for example to populate a hidden field in a form.
+
+If you would like the middleware to set that cookie for any incoming request that does not already provide the cookie, you can use the `always_set_cookie=True` argument:
+
+```python
+app = asgi_csrf(app, signing_secret="secret-goes-here", always_set_cookie=True)
+```
+
+## Other cases that skip CSRF protection
+
+If the request includes an `Authorization: Bearer ...` header, commonly used by OAuth and JWT authentication, the request will not be required to include a CSRF token. This is because browsers cannot send those headers in a context that can be abused.
+
+If the request has no cookies at all it will be allowed through, since CSRF protection is only necessary for requests from authenticated users.
+
+### always_protect
+
+If you have paths that should always be protected even without cookies - your login form for example (to avoid [login CSRF](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf) attacks) you can protect those paths by passing them as the ``always_protect`` parameter:
+
+```python
+app = asgi_csrf(
+    app,
+    signing_secret="secret-goes-here",
+    always_protect={"/login"}
+)
+```
+
+### skip_if_scope
+
+There may be situations in which you want to opt-out of CSRF protection even for authenticated POST requests - this is often the case for web APIs for example.
+
+The `skip_if_scope=` parameter can be used to provide a callback function which is passed an ASGI scope and returns `True` if CSRF protection should be skipped for that request.
+
+This example skips CSRF protection for any incoming request where the request path starts with `/api/`:
+
+```python
+def skip_api_paths(scope)
+    return scope["path"].startswith("/api/")
+
+app = asgi_csrf(
+    app,
+    signing_secret="secret-goes-here",
+    skip_if_scope=skip_api_paths
+)
+```
+
+
+
+
+%package help
+Summary:	Development documents and examples for asgi-csrf
+Provides:	python3-asgi-csrf-doc
+%description help
+# asgi-csrf
+
+[![PyPI](https://img.shields.io/pypi/v/asgi-csrf.svg)](https://pypi.org/project/asgi-csrf/)
+[![Changelog](https://img.shields.io/github/v/release/simonw/asgi-csrf?include_prereleases&label=changelog)](https://github.com/simonw/asgi-csrf/releases)
+[![codecov](https://codecov.io/gh/simonw/asgi-csrf/branch/main/graph/badge.svg)](https://codecov.io/gh/simonw/asgi-csrf)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/simonw/asgi-csrf/blob/main/LICENSE)
+
+ASGI middleware for protecting against CSRF attacks
+
+## Installation
+
+    pip install asgi-csrf
+
+## Background
+
+See the [OWASP guide to Cross Site Request Forgery (CSRF)](https://owasp.org/www-community/attacks/csrf) and their [Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html).
+
+This middleware implements the [Double Submit Cookie pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie), where a cookie is set that is then compared to a `csrftoken` hidden form field or a `x-csrftoken` HTTP header.
+
+## Usage
+
+Decorate your ASGI application like this:
+
+```python
+from asgi_csrf import asgi_csrf
+from .my_asgi_app import app
+
+
+app = asgi_csrf(app, signing_secret="secret-goes-here")
+```
+
+The middleware will set a `csrftoken` cookie, if one is missing. The value of that token will be made available to your ASGI application through the `scope["csrftoken"]` function.
+
+Your application code should include that value as a hidden form field in any POST forms:
+
+```html
+<form action="/login" method="POST">
+    ...
+    <input type="hidden" name="csrftoken" value="{{ request.scope.csrftoken() }}">
+</form>
+```
+
+Note that `request.scope["csrftoken"]()` is a function that returns a string. Calling that function also lets the middleware know that the cookie should be set by that page, if the user does not already have that cookie.
+
+If the cookie needs to be set, the middleware will add a `Vary: Cookie` header to the response to ensure it is not incorrectly cached by any CDNs or intermediary proxies.
+
+The middleware will return a 403 forbidden error for any POST requests that do not include the matching `csrftoken` - either in the POST data or in a `x-csrftoken` HTTP header (useful for JavaScript `fetch()` calls).
+
+The `signing_secret` is used to sign the tokens, to protect against subdomain vulnerabilities.
+
+If you do not pass in an explicit `signing_secret` parameter, the middleware will look for a `ASGI_CSRF_SECRET` environment variable.
+
+If it cannot find that environment variable, it will generate a random secret which will persist for the lifetime of the server.
+
+This means that if you do not configure a specific secret your user's `csrftoken` cookies will become invalid every time the server restarts! You should configure a secret.
+
+## Always setting the cookie if it is not already set
+
+By default this middleware only sets the `csrftoken` cookie if the user encounters a page that needs it - due to that page calling the `request.scope["csrftoken"]()` function, for example to populate a hidden field in a form.
+
+If you would like the middleware to set that cookie for any incoming request that does not already provide the cookie, you can use the `always_set_cookie=True` argument:
+
+```python
+app = asgi_csrf(app, signing_secret="secret-goes-here", always_set_cookie=True)
+```
+
+## Other cases that skip CSRF protection
+
+If the request includes an `Authorization: Bearer ...` header, commonly used by OAuth and JWT authentication, the request will not be required to include a CSRF token. This is because browsers cannot send those headers in a context that can be abused.
+
+If the request has no cookies at all it will be allowed through, since CSRF protection is only necessary for requests from authenticated users.
+
+### always_protect
+
+If you have paths that should always be protected even without cookies - your login form for example (to avoid [login CSRF](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf) attacks) you can protect those paths by passing them as the ``always_protect`` parameter:
+
+```python
+app = asgi_csrf(
+    app,
+    signing_secret="secret-goes-here",
+    always_protect={"/login"}
+)
+```
+
+### skip_if_scope
+
+There may be situations in which you want to opt-out of CSRF protection even for authenticated POST requests - this is often the case for web APIs for example.
+
+The `skip_if_scope=` parameter can be used to provide a callback function which is passed an ASGI scope and returns `True` if CSRF protection should be skipped for that request.
+
+This example skips CSRF protection for any incoming request where the request path starts with `/api/`:
+
+```python
+def skip_api_paths(scope)
+    return scope["path"].startswith("/api/")
+
+app = asgi_csrf(
+    app,
+    signing_secret="secret-goes-here",
+    skip_if_scope=skip_api_paths
+)
+```
+
+
+
+
+%prep
+%autosetup -n asgi-csrf-0.9
+
+%build
+%py3_build
+
+%install
+%py3_install
+install -d -m755 %{buildroot}/%{_pkgdocdir}
+if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
+if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
+if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
+if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
+pushd %{buildroot}
+if [ -d usr/lib ]; then
+	find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/lib64 ]; then
+	find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/bin ]; then
+	find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/sbin ]; then
+	find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+touch doclist.lst
+if [ -d usr/share/man ]; then
+	find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst
+fi
+popd
+mv %{buildroot}/filelist.lst .
+mv %{buildroot}/doclist.lst .
+
+%files -n python3-asgi-csrf -f filelist.lst
+%dir %{python3_sitelib}/*
+
+%files help -f doclist.lst
+%{_docdir}/*
+
+%changelog
+* Tue Apr 11 2023 Python_Bot <Python_Bot@openeuler.org> - 0.9-1
+- Package Spec generated
diff --git a/sources b/sources
new file mode 100644
index 0000000..eaa65be
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+08212bf28a12bc8cd0509ebb1d22b29f  asgi-csrf-0.9.tar.gz