"""

Cross Site Request Forgery Middleware.

This module provides a middleware that implements protection

against request forgeries from other sites.

"""

import re

import itertools

from django.conf import settings

from django.http import HttpResponseForbidden

from django.utils.hashcompat import md5_constructor

from django.utils.safestring import mark_safe

_ERROR_MSG = mark_safe('<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><body><h1>403 Forbidden</h1><p>Cross Site Request Forgery detected. Request aborted.</p></body></html>')

_POST_FORM_RE = \

    re.compile(r'(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)', re.IGNORECASE)

_HTML_TYPES = ('text/html', 'application/xhtml+xml')

def _make_token(session_id):

    return md5_constructor(settings.SECRET_KEY + session_id).hexdigest()

class CsrfMiddleware(object):

    """Django middleware that adds protection against Cross Site

    Request Forgeries by adding hidden form fields to POST forms and

    checking requests for the correct value.

    In the list of middlewares, SessionMiddleware is required, and must come

    after this middleware.  CsrfMiddleWare must come after compression

    middleware.

    If a session ID cookie is present, it is hashed with the SECRET_KEY

    setting to create an authentication token.  This token is added to all

    outgoing POST forms and is expected on all incoming POST requests that

    have a session ID cookie.

    If you are setting cookies directly, instead of using Django's session

    framework, this middleware will not work.

    """

    def process_request(self, request):

        if request.method == 'POST':

            try:

                session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]

            except KeyError:

                # No session, no check required

                return None

            csrf_token = _make_token(session_id)

            # check incoming token

            try:

                request_csrf_token = request.POST['csrfmiddlewaretoken']

            except KeyError:

                return HttpResponseForbidden(_ERROR_MSG)

            if request_csrf_token != csrf_token:

                return HttpResponseForbidden(_ERROR_MSG)

        return None

    def process_response(self, request, response):

        csrf_token = None

        try:

            cookie = response.cookies[settings.SESSION_COOKIE_NAME]

            csrf_token = _make_token(cookie.value)

        except KeyError:

            # No outgoing cookie to set session, but

            # a session might already exist.

            try:

                session_id = request.COOKIES[settings.SESSION_COOKIE_NAME]

                csrf_token = _make_token(session_id)

            except KeyError:

                # no incoming or outgoing cookie

                pass

        if csrf_token is not None and \

                response['Content-Type'].split(';')[0] in _HTML_TYPES:

            # ensure we don't add the 'id' attribute twice (HTML validity)

            idattributes = itertools.chain(("id='csrfmiddlewaretoken'",),

                                            itertools.repeat(''))

            def add_csrf_field(match):

                """Returns the matched <form> tag plus the added <input> element"""

                return mark_safe(match.group() + "<div style='display:none;'>" + \

                "<input type='hidden' " + idattributes.next() + \

                " name='csrfmiddlewaretoken' value='" + csrf_token + \

                "' /></div>")

            # Modify any POST forms

            response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)

        return response