-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
See if Flask-Security has issue with csrf token rotation on login/out #93
Labels
Comments
jwag956
added a commit
that referenced
this issue
Jul 23, 2019
With the help of Flask-WTF - when using forms (both GET and POST) CSRF protection was handled transparently. However this didn't work will with pure token based authentication or when sending requests in via JSON and had enabled site-wide CSRF protection via Flask-WTF:CSRFProtect. This change adds considerable flexibility when working with CSRF as well as a new set of application notes around CSRF. - You can configure flask-security to enforce CSRF for session based auth but allow token based auth to not require CSRF (this is the common use case for applications that support a browser-based UI as well as a pure JSON API) - Extended the response for JSON requests to include the session csrf-token which can then be used in the X-CSRF-Token request header. - Extended the flask-security authn decorators to run CSRF protection based on authn types. - Added a configuration variable CSRF_IGNORE_UNAUTH_ENDPOINTS to make it easy to turn off so-called login CSRF protection (which most applications really don't need). - Fix issue where on logout the csrf-token wasn't being cleared from the session cookie. - Fix issue where change_password didn't work with token authn. - Allow accessing /login endpoint even if logged in. For GETs - this is a way to get csrf_token as well as getting user info based on session cookie. - Add option to send a cookie with csrf_token - this is what axios and angular want to automagically send a CSRF header. closes: #93, #96, #126
jwag956
added a commit
that referenced
this issue
Jul 23, 2019
With the help of Flask-WTF - when using forms (both GET and POST) CSRF protection was handled transparently. However this didn't work will with pure token based authentication or when sending requests in via JSON and had enabled site-wide CSRF protection via Flask-WTF:CSRFProtect. This change adds considerable flexibility when working with CSRF as well as a new set of application notes around CSRF. - You can configure flask-security to enforce CSRF for session based auth but allow token based auth to not require CSRF (this is the common use case for applications that support a browser-based UI as well as a pure JSON API) - Extended the response for JSON requests to include the session csrf-token which can then be used in the X-CSRF-Token request header. - Extended the flask-security authn decorators to run CSRF protection based on authn types. - Added a configuration variable CSRF_IGNORE_UNAUTH_ENDPOINTS to make it easy to turn off so-called login CSRF protection (which most applications really don't need). - Fix issue where on logout the csrf-token wasn't being cleared from the session cookie. - Fix issue where change_password didn't work with token authn. - Allow accessing /login endpoint even if logged in. For GETs - this is a way to get csrf_token as well as getting user info based on session cookie. - Add option to send a cookie with csrf_token - this is what axios and angular want to automagically send a CSRF header. closes: #93, #96, #126
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As discussed here:
wtforms/flask-wtf#354
The text was updated successfully, but these errors were encountered: