Improve CSRF

Added testing to /tf-setup - there wasn't any CSRF issue - all working. CSRF handling is complex and there are few unit tests. - Added @pytest.mark.csrf to make it easier to turn on and test CSRF w/o lots of boilerplate - Added tests and improved many templates to show CSRF errors - mostly for developers - but otherwise CSRF errors tent do just disappear and are difficult to debug - Found issue with WTFforms with the new form-level errors - it uses a `None` key - which, if there are multiple errors, isn't sortable by Flasks default JSON serializer. Filed issue and now change if from `None` to "" - Fixed issue in webauthn with CSRF errors causing exceptions - added tests. - In the case of CSRFprotect() (the app configuring CSRF for the entire app) a CSRF error would raise an exception which would always return an HTML response - added code to return a JSON response if desired. - Add more documentation... closes #905
pallets-eco · Jan 26, 2024 · 0363354 · 0363354
1 parent 5bb3f21
commit 0363354
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/docs/patterns.rst b/docs/patterns.rst
@@ -289,6 +289,13 @@ Be aware that if you enable this it will ONLY work if you send the session cooki
 .. note::
     It is IMPORTANT that you initialize/call ``CSRFProtect`` PRIOR to initializing Flask_Security.
 
+.. note::
+    Calling CSRFProtect(app) will setup a @before_request handler to verify CSRF - this occurs BEFORE any Flask-Security decorators
+    or other view/form logic. One side effect is that CSRFProtect, on error, will raise a BadRequest error which returns a small
+    piece of HTML by default - your application will need to add a Flask ErrorHandler to change that. Alternatively, and recommended
+    is to set `WTF_CSRF_CHECK_DEFAULT` to `False` - which will disable the @before_request and let Flask-Security handle CSRF protection
+    including properly returning a JSON response if the caller asks for it.
+
 
 Using a Cookie
 --------------