Fix CSRF

2018-04-09 10:10:01 +02:00 · 2018-04-09 10:10:01 +02:00 · bebd9b0db8
parent 03cae23651
commit bebd9b0db8
2 changed files with 5 additions and 1 deletions
--- a/auth.py
+++ b/auth.py
@ -216,11 +216,14 @@ def save_token(token, request, *args, **kwargs):
@login_required
@oauth.authorize_handler
 def authorize(*args, **kwargs):
-    if flask.request.method == 'GET':
+    form = FlaskForm()
+
+    if not form.validate_on_submit():
        client_id = kwargs.get('client_id')
        client = Client.query.filter_by(client_id=client_id).first()
        kwargs['client'] = client
        kwargs['user'] = current_user
+        kwargs['form'] = form
        return render_template('oauthorize.html', **kwargs)

    confirm = flask.request.form.get('confirm', 'no')
--- a/templates/oauthorize.html
+++ b/templates/oauthorize.html
@ -35,6 +35,7 @@
    </ul>
    <h4 style="margin-bottom: 20px;">On your ({{user.username}}) behalf.</h4>
    <form action="/oauth/authorize" method="post">
+      {{ form.csrf_token }}
      <input type="hidden" name="client_id" value="{{ client.client_id }}">
      <input type="hidden" name="scope" value="{{ scopes|join(' ') }}">
      <input type="hidden" name="response_type" value="{{ response_type }}">