From 05febb1a0ce018690168890ed4804eea9d84499d Mon Sep 17 00:00:00 2001 From: yackob03 Date: Thu, 30 Jan 2014 13:42:25 -0500 Subject: [PATCH] Switch the CSRF token to logging only to test for a little while in prod. --- endpoints/api.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/endpoints/api.py b/endpoints/api.py index da37c2508..c0f10effc 100644 --- a/endpoints/api.py +++ b/endpoints/api.py @@ -37,6 +37,7 @@ route_data = None api = Blueprint('api', __name__) + @api.before_request def csrf_protect(): if request.method != "GET" and request.method != "HEAD": @@ -45,7 +46,13 @@ def csrf_protect(): # TODO: add if not token here, once we are sure all sessions have a token. if token != found_token: - abort(403) + msg = 'CSRF Failure. Session token was %s and request token was %s' + logger.error(msg, token, found_token) + + if not token: + req_user = current_user.db_user().username if current_user else None + logger.warning('No CSRF token in session for current user: %s' % + req_user) def get_route_data():