From 3c074948094c7e2ab897d4e4e2e17c513ce63613 Mon Sep 17 00:00:00 2001
From: Thomas Sileo <t@a4.io>
Date: Fri, 9 Jun 2023 22:22:37 +0200
Subject: [PATCH] Make CSRF expiration configurable and increase default value

---
 app/config.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/config.py b/app/config.py
index fe691d7..1cd593c 100644
--- a/app/config.py
+++ b/app/config.py
@@ -124,6 +124,7 @@ class Config(pydantic.BaseModel):
     key_path: str | None = None
 
     session_timeout: int = 3600 * 24 * 3  # in seconds, 3 days by default
+    csrf_token_exp: int = 3600
 
     disabled_notifications: list[str] = []
 
@@ -263,7 +264,7 @@ def verify_csrf_token(
     if redirect_url:
         please_try_again = f'<a href="{redirect_url}">please try again</a>'
     try:
-        csrf_serializer.loads(csrf_token, max_age=1800)
+        csrf_serializer.loads(csrf_token, max_age=CONFIG.csrf_token_exp)
     except (itsdangerous.BadData, itsdangerous.SignatureExpired):
         logger.exception("Failed to verify CSRF token")
         raise HTTPException(