Move each flask module into a Blueprint and have CSRF protection only on the API blueprint
This commit is contained in:
Joseph Schorr
parent
b598c7ec85
commit
310c98df50
8 changed files with 174 additions and 162 deletions
|
|
@ -51,15 +51,14 @@ def common_login(db_user):
|
|||
return False
|
||||
|
||||
|
||||
@app.before_request
|
||||
def csrf_protect():
|
||||
if request.method != "GET" and request.method != "HEAD":
|
||||
token = session.get('_csrf_token', None)
|
||||
found_token = request.values.get('_csrf_token', None)
|
||||
@app.errorhandler(model.DataModelException)
|
||||
def handle_dme(ex):
|
||||
return make_response(ex.message, 400)
|
||||
|
||||
# TODO: add if not token here, once we are sure all sessions have a token.
|
||||
if token != found_token:
|
||||
abort(403)
|
||||
|
||||
@app.errorhandler(KeyError)
|
||||
def handle_dme_key_error(ex):
|
||||
return make_response(ex.message, 400)
|
||||
|
||||
|
||||
def generate_csrf_token():
|
||||
|
|
|
|||
Reference in a new issue