def _csrf_init():
# various config checks - some of these are opinionated in that there
# could be a reason for some of these combinations - but in general
# they cause strange behavior.
# WTF_CSRF_ENABLED defaults to True if not set in Flask-WTF
if not current_app.config.get("WTF_CSRF_ENABLED", True):
return
csrf = current_app.extensions.get("csrf", None)
# If they don't want ALL mechanisms protected, then they must
# set WTF_CSRF_CHECK_DEFAULT=False so that our decorators get control.
if cv("CSRF_PROTECT_MECHANISMS") != AUTHN_MECHANISMS:
if not csrf:
# This isn't good.
raise ValueError(
"CSRF_PROTECT_MECHANISMS defined but"
" CsrfProtect not part of application"
)
if current_app.config.get("WTF_CSRF_CHECK_DEFAULT", True):
raise ValueError(
"WTF_CSRF_CHECK_DEFAULT must be set to False if"
" CSRF_PROTECT_MECHANISMS is set"
)
# We don't get control unless they turn off WTF_CSRF_CHECK_DEFAULT if
# they have enabled global CSRFProtect.
if (
cv("CSRF_IGNORE_UNAUTH_ENDPOINTS")
and csrf
and current_app.config.get("WTF_CSRF_CHECK_DEFAULT", False)
):
raise ValueError(
"To ignore unauth endpoints you must set WTF_CSRF_CHECK_DEFAULT"
" to False"
)
csrf_cookie = cv("CSRF_COOKIE")
if csrf_cookie and csrf_cookie["key"] and not csrf:
# Common use case is for cookie value to be used as contents for header
# which is only looked at when CsrfProtect is initialized.
# Yes, this is opinionated - they can always get CSRF token via:
# 'get /login'
raise ValueError(
"CSRF_COOKIE defined however CsrfProtect not part of application"
)
if csrf:
csrf.exempt("flask_security.views.logout")
if csrf_cookie and csrf_cookie["key"]:
current_app.after_request(csrf_cookie_handler)
# Add configured header to WTF_CSRF_HEADERS
current_app.config["WTF_CSRF_HEADERS"].append(cv("CSRF_HEADER"))
def init_app(self, app):
r = super(CSRFProtect, self).init_app(app)
app.after_request(self.set_csrf_cookie)
return r