Make the CSRF checks mandatory.

endpoints/csrf.py

@@ -26,16 +26,11 @@ def csrf_protect(func):
       token = session.get('_csrf_token', None)
       found_token = request.values.get('_csrf_token', None)
 
-      # TODO: add if not token here, once we are sure all sessions have a token.
+      if not token or token != found_token:
-      if token != found_token:
         msg = 'CSRF Failure. Session token was %s and request token was %s'
         logger.error(msg, token, found_token)
         abort(403, message='CSRF token was invalid or missing.')
 
-      if not token:
-        logger.warning('No CSRF token in session.')
-      else:
-        logger.debug('Found and validated CSRF token.')
     return func(*args, **kwargs)
   return wrapper