From bebd9b0db83c91659f9149ff31940df21ab75861 Mon Sep 17 00:00:00 2001
From: Piotr Dobrowolski <admin@tastycode.pl>
Date: Mon, 9 Apr 2018 10:10:01 +0200
Subject: [PATCH] Fix CSRF

---
 auth.py                   | 5 ++++-
 templates/oauthorize.html | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/auth.py b/auth.py
index 4995a58..acf73f1 100644
--- a/auth.py
+++ b/auth.py
@@ -216,11 +216,14 @@ def save_token(token, request, *args, **kwargs):
 @login_required
 @oauth.authorize_handler
 def authorize(*args, **kwargs):
-    if flask.request.method == 'GET':
+    form = FlaskForm()
+
+    if not form.validate_on_submit():
         client_id = kwargs.get('client_id')
         client = Client.query.filter_by(client_id=client_id).first()
         kwargs['client'] = client
         kwargs['user'] = current_user
+        kwargs['form'] = form
         return render_template('oauthorize.html', **kwargs)
 
     confirm = flask.request.form.get('confirm', 'no')
diff --git a/templates/oauthorize.html b/templates/oauthorize.html
index e6877e3..0e96670 100644
--- a/templates/oauthorize.html
+++ b/templates/oauthorize.html
@@ -35,6 +35,7 @@
     </ul>
     <h4 style="margin-bottom: 20px;">On your ({{user.username}}) behalf.</h4>
     <form action="/oauth/authorize" method="post">
+      {{ form.csrf_token }}
       <input type="hidden" name="client_id" value="{{ client.client_id }}">
       <input type="hidden" name="scope" value="{{ scopes|join(' ') }}">
       <input type="hidden" name="response_type" value="{{ response_type }}">