Fix CSRF
parent
03cae23651
commit
bebd9b0db8
5
auth.py
5
auth.py
|
@ -216,11 +216,14 @@ def save_token(token, request, *args, **kwargs):
|
|||
@login_required
|
||||
@oauth.authorize_handler
|
||||
def authorize(*args, **kwargs):
|
||||
if flask.request.method == 'GET':
|
||||
form = FlaskForm()
|
||||
|
||||
if not form.validate_on_submit():
|
||||
client_id = kwargs.get('client_id')
|
||||
client = Client.query.filter_by(client_id=client_id).first()
|
||||
kwargs['client'] = client
|
||||
kwargs['user'] = current_user
|
||||
kwargs['form'] = form
|
||||
return render_template('oauthorize.html', **kwargs)
|
||||
|
||||
confirm = flask.request.form.get('confirm', 'no')
|
||||
|
|
|
@ -35,6 +35,7 @@
|
|||
</ul>
|
||||
<h4 style="margin-bottom: 20px;">On your ({{user.username}}) behalf.</h4>
|
||||
<form action="/oauth/authorize" method="post">
|
||||
{{ form.csrf_token }}
|
||||
<input type="hidden" name="client_id" value="{{ client.client_id }}">
|
||||
<input type="hidden" name="scope" value="{{ scopes|join(' ') }}">
|
||||
<input type="hidden" name="response_type" value="{{ response_type }}">
|
||||
|
|
Loading…
Reference in New Issue