do not rely on tornado's cookie encryption functionality

this way, we can present (and decode!) the riddle in json, too

1 files changed, 10 insertions, 6 deletions

diff --git a/server.py b/server.py
index dff7d7c..094ff70 100755
--- a/server.py
+++ b/server.py
@@ -5,20 +5,26 @@ import tornado.web
 import random
 import string
 import os
+from cryptography.fernet import Fernet
 
 root_dir = os.path.dirname(os.path.realpath(__file__))
 with open(root_dir + '/german-5.dic', encoding='utf-8') as f:
     dictionary = [ word.lower() for word in f.read().split('\n') ]
 
+fernet = Fernet(Fernet.generate_key())
+
 class BaseHandler(tornado.web.RequestHandler):
     def get_current_riddle(self):
-        return self.get_secure_cookie('riddle')
+        riddle = self.get_argument('riddle', self.get_cookie('riddle'))
+        if riddle:
+            return fernet.decrypt(riddle.encode('utf-8'))
+        return False
 
 class CreateHandler(BaseHandler):
     def get(self):
         self.set_header('Access-Control-Allow-Origin','*')
-        cookie_value = self.create_signed_value('riddle', random.SystemRandom().choice(dictionary).lower())
-        self.set_cookie('riddle', cookie_value);
+        cookie_value = fernet.encrypt(random.SystemRandom().choice(dictionary).lower().encode('utf-8'))
+        self.set_cookie('riddle', cookie_value)
         for redirection in self.get_arguments('next'):
             self.redirect(redirection)
             return
@@ -74,9 +80,7 @@ def make_app():
         (r'/', ReadmeHandler),
         (r'/create', CreateHandler),
         (r'/try/(.+)', TrialHandler),
-    ],
-    cookie_secret = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(64))
-    )
+    ])
 
 if __name__ == "__main__":
     app = make_app()