Fix CSRF
parent
03cae23651
commit
bebd9b0db8
5
auth.py
5
auth.py
|
@ -216,11 +216,14 @@ def save_token(token, request, *args, **kwargs):
|
||||||
@login_required
|
@login_required
|
||||||
@oauth.authorize_handler
|
@oauth.authorize_handler
|
||||||
def authorize(*args, **kwargs):
|
def authorize(*args, **kwargs):
|
||||||
if flask.request.method == 'GET':
|
form = FlaskForm()
|
||||||
|
|
||||||
|
if not form.validate_on_submit():
|
||||||
client_id = kwargs.get('client_id')
|
client_id = kwargs.get('client_id')
|
||||||
client = Client.query.filter_by(client_id=client_id).first()
|
client = Client.query.filter_by(client_id=client_id).first()
|
||||||
kwargs['client'] = client
|
kwargs['client'] = client
|
||||||
kwargs['user'] = current_user
|
kwargs['user'] = current_user
|
||||||
|
kwargs['form'] = form
|
||||||
return render_template('oauthorize.html', **kwargs)
|
return render_template('oauthorize.html', **kwargs)
|
||||||
|
|
||||||
confirm = flask.request.form.get('confirm', 'no')
|
confirm = flask.request.form.get('confirm', 'no')
|
||||||
|
|
|
@ -35,6 +35,7 @@
|
||||||
</ul>
|
</ul>
|
||||||
<h4 style="margin-bottom: 20px;">On your ({{user.username}}) behalf.</h4>
|
<h4 style="margin-bottom: 20px;">On your ({{user.username}}) behalf.</h4>
|
||||||
<form action="/oauth/authorize" method="post">
|
<form action="/oauth/authorize" method="post">
|
||||||
|
{{ form.csrf_token }}
|
||||||
<input type="hidden" name="client_id" value="{{ client.client_id }}">
|
<input type="hidden" name="client_id" value="{{ client.client_id }}">
|
||||||
<input type="hidden" name="scope" value="{{ scopes|join(' ') }}">
|
<input type="hidden" name="scope" value="{{ scopes|join(' ') }}">
|
||||||
<input type="hidden" name="response_type" value="{{ response_type }}">
|
<input type="hidden" name="response_type" value="{{ response_type }}">
|
||||||
|
|
Reference in New Issue