From 219fbd6950accddd00298db21b7e455262ab236d Mon Sep 17 00:00:00 2001
From: jakedt <jake@devtable.com>
Date: Tue, 25 Mar 2014 14:35:19 -0400
Subject: [PATCH] Make the CSRF checks mandatory.

---
 endpoints/csrf.py | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/endpoints/csrf.py b/endpoints/csrf.py
index 3ac25bf2a..0244aba2c 100644
--- a/endpoints/csrf.py
+++ b/endpoints/csrf.py
@@ -26,16 +26,11 @@ def csrf_protect(func):
       token = session.get('_csrf_token', None)
       found_token = request.values.get('_csrf_token', None)
 
-      # TODO: add if not token here, once we are sure all sessions have a token.
-      if token != found_token:
+      if not token or token != found_token:
         msg = 'CSRF Failure. Session token was %s and request token was %s'
         logger.error(msg, token, found_token)
         abort(403, message='CSRF token was invalid or missing.')
 
-      if not token:
-        logger.warning('No CSRF token in session.')
-      else:
-        logger.debug('Found and validated CSRF token.')
     return func(*args, **kwargs)
   return wrapper