jwag956 / flask-security / 297 / 4
97%
master: 97%

DEFAULT BRANCH: master
Ran
Files 24
Run time 8min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 94.169% (+0.08%) from 94.092%
REQUIREMENTS=lowest

push

travis-ci

web-flow 
Feature - update CSRF support. (#131)

With the help of Flask-WTF - when using forms (both GET and POST) CSRF
protection was handled transparently.

However this didn't work will with pure token based authentication or
when sending requests in via JSON and had enabled site-wide CSRF
protection via Flask-WTF:CSRFProtect.

This change adds considerable flexibility when working with CSRF as well
as a new set of application notes around CSRF.

- You can configure flask-security to enforce CSRF for session based auth but allow
  token based auth to not require CSRF (this is the common use case for applications
  that support a browser-based UI as well as a pure JSON API)

- Extended the response for JSON requests to include the session csrf-token which can
  then be used in the X-CSRF-Token request header.

- Extended the flask-security authn decorators to run CSRF protection based on authn types.

- Added a configuration variable CSRF_IGNORE_UNAUTH_ENDPOINTS to make it easy to turn off
  so-called login CSRF protection (which most applications really don't need).

- Fix issue where on logout the csrf-token wasn't being cleared from the session cookie.

- Fix issue where change_password didn't work with token authn.

- Allow accessing /login endpoint even if logged in. For GETs - this is a way to
  get csrf_token as well as getting user info based on session cookie.

- Add option to send a cookie with csrf_token - this is what axios and angular want to
  automagically send a CSRF header.

closes: #93, #96, #126

2067 of 2195 relevant lines covered (94.17%)

0.94 hits per line

Source Files on job 297.4 (REQUIREMENTS=lowest)