Fix and unify CSRF support across web and API endpoints.

endpoints/web.py

@@ -14,7 +14,8 @@ from auth.permissions import AdministerOrganizationPermission
 from util.invoice import renderInvoiceToPdf
 from util.seo import render_snapshot
 from util.cache import no_cache
-from endpoints.common import common_login, render_page_template, generate_csrf_token
+from endpoints.common import common_login, render_page_template
+from endpoints.csrf import csrf_protect, generate_csrf_token
 from util.names import parse_repository_name
 from util.gravatar import compute_hash
 from auth import scopes
@@ -248,6 +249,7 @@ class FlaskAuthorizationProvider(DatabaseAuthorizationProvider):
 
 
 @web.route('/oauth/authorizeapp', methods=['POST'])
+@csrf_protect
 def authorize_application():
   if not current_user.is_authenticated():
     abort(401)
@@ -257,18 +259,13 @@ def authorize_application():
   client_id = request.form.get('client_id', None)
   redirect_uri = request.form.get('redirect_uri', None)
   scope = request.form.get('scope', None)
-  csrf = request.form.get('csrf', None)
-
-  # Verify the csrf token.
-  if csrf != generate_csrf_token():
-    abort(404)
-    return
 
   # Add the access token.
   return provider.get_token_response('token', client_id, redirect_uri, scope=scope)
 
 
 @web.route('/oauth/denyapp', methods=['POST'])
+@csrf_protect
 def deny_application():
   if not current_user.is_authenticated():
     abort(401)
@@ -278,12 +275,6 @@ def deny_application():
   client_id = request.form.get('client_id', None)
   redirect_uri = request.form.get('redirect_uri', None)
   scope = request.form.get('scope', None)
-  csrf = request.form.get('csrf', None)
-
-  # Verify the csrf token.
-  if csrf != generate_csrf_token():
-    abort(404)
-    return
 
   # Add the access token.
   return provider.get_auth_denied_response('token', client_id, redirect_uri, scope=scope)