From 1715dc938dbb149b8c548b9ccf5cd11bd34c21b3 Mon Sep 17 00:00:00 2001
From: Aevann <randomname42029@gmail.com>
Date: Tue, 27 Dec 2022 05:00:15 +0200
Subject: [PATCH] dont generate nonce for xhr and increase nonce elngth

---
 files/routes/wrappers.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/files/routes/wrappers.py b/files/routes/wrappers.py
index 00016af4de..a365a53d47 100644
--- a/files/routes/wrappers.py
+++ b/files/routes/wrappers.py
@@ -41,9 +41,6 @@ def get_logged_in_user():
 			else:
 				session.pop("lo_user")
 
-	g.is_api = v and v.client
-	g.is_api_or_xhr = bool(g.is_api or request.headers.get("xhr"))
-
 	if request.method.lower() != "get" and get_setting('read_only_mode') and not (v and v.admin_level >= PERMS['SITE_BYPASS_READ_ONLY_MODE']):
 		abort(403)
 
@@ -70,8 +67,10 @@ def get_logged_in_user():
 					t = time.strftime("%d/%B/%Y %H:%M:%S UTC", time.gmtime(time.time()))
 					log_file(f'@{v.username}, {v.truescore}, {ip}, {t}\n', 'eg.log')
 	
-	if not g.is_api:
-		g.nonce = secrets.token_urlsafe(16)
+	g.is_api_or_xhr = bool((v and v.client) or request.headers.get("xhr"))
+
+	if not g.is_api_or_xhr:
+		g.nonce = secrets.token_urlsafe(31)
 
 	return v