def _csrf_init(): # various config checks - some of these are opinionated in that there # could be a reason for some of these combinations - but in general # they cause strange behavior. # WTF_CSRF_ENABLED defaults to True if not set in Flask-WTF if not current_app.config.get("WTF_CSRF_ENABLED", True): return csrf = current_app.extensions.get("csrf", None) # If they don't want ALL mechanisms protected, then they must # set WTF_CSRF_CHECK_DEFAULT=False so that our decorators get control. if cv("CSRF_PROTECT_MECHANISMS") != AUTHN_MECHANISMS: if not csrf: # This isn't good. raise ValueError( "CSRF_PROTECT_MECHANISMS defined but" " CsrfProtect not part of application" ) if current_app.config.get("WTF_CSRF_CHECK_DEFAULT", True): raise ValueError( "WTF_CSRF_CHECK_DEFAULT must be set to False if" " CSRF_PROTECT_MECHANISMS is set" ) # We don't get control unless they turn off WTF_CSRF_CHECK_DEFAULT if # they have enabled global CSRFProtect. if ( cv("CSRF_IGNORE_UNAUTH_ENDPOINTS") and csrf and current_app.config.get("WTF_CSRF_CHECK_DEFAULT", False) ): raise ValueError( "To ignore unauth endpoints you must set WTF_CSRF_CHECK_DEFAULT" " to False" ) csrf_cookie = cv("CSRF_COOKIE") if csrf_cookie and csrf_cookie["key"] and not csrf: # Common use case is for cookie value to be used as contents for header # which is only looked at when CsrfProtect is initialized. # Yes, this is opinionated - they can always get CSRF token via: # 'get /login' raise ValueError( "CSRF_COOKIE defined however CsrfProtect not part of application" ) if csrf: csrf.exempt("flask_security.views.logout") if csrf_cookie and csrf_cookie["key"]: current_app.after_request(csrf_cookie_handler) # Add configured header to WTF_CSRF_HEADERS current_app.config["WTF_CSRF_HEADERS"].append(cv("CSRF_HEADER"))
def init_app(self, app): r = super(CSRFProtect, self).init_app(app) app.after_request(self.set_csrf_cookie) return r