Implement CSRF

2022-07-10 20:32:29 +01:00
parent c7ead8d4fd
commit 3ad51ee1a3
5 changed files with 15 additions and 3 deletions
--- a/app/app.py
+++ b/app/app.py
@ -3,10 +3,12 @@
 """Flask web server."""

 from flask import Flask, render_template, request
+from flask_wtf.csrf import CSRFProtect
 from app.send_page import send_page


 app = Flask(__name__)
+csrf = CSRFProtect(app)

@app.route("/", methods=['GET'])
 def index():
--- a/app/main.py
+++ b/app/main.py
@ -2,11 +2,15 @@

 """Main module."""

-from app.app import app
+import os
+
+from app.app import app, csrf


 def main():
    """Run the app."""
+    app.secret_key = os.urandom(12).hex()
+    csrf.init_app(app)
    app.run()


--- a/app/templates/index.html
+++ b/app/templates/index.html
@ -24,7 +24,7 @@
    <div class="container">
        <header class="d-flex flex-wrap justify-content-center py-3 mb-4 border-bottom">
          <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto text-dark text-decoration-none">
-            <img src="{{ url_for('static', filename='msg.png') }}" class="bi me-2" height="32"/>
+            <img alt="ePage logo" src="{{ url_for('static', filename='msg.png') }}" class="bi me-2" height="32"/>
            <span class="fs-4">ePage</span>
          </a>
        </header>
@ -63,6 +63,7 @@
          </div>
        </div>
        <br>
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
      <button class="btn btn-primary" type="submit">Submit</button>
    </form>