Python flask_wtf.CSRFProtect() Examples
The following are 14
code examples of flask_wtf.CSRFProtect().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
flask_wtf
, or try the search function
.
Example #1
Source File: test_csrf.py From flask-security with MIT License | 6 votes |
def test_cp_reset(app, client): """ Test that header based CSRF works for /reset when using WTF_CSRF_CHECK_DEFAULT=False. """ app.config["WTF_CSRF_ENABLED"] = True app.config["WTF_CSRF_CHECK_DEFAULT"] = False CSRFProtect(app) with mp_validate_csrf() as mp: data = dict(email="matt@lp.com") # should fail - no CSRF token response = client.post("/reset", content_type="application/json", json=data) assert response.status_code == 400 csrf_token = _get_csrf_token(client) response = client.post( "/reset", content_type="application/json", json=data, headers={"X-CSRF-Token": csrf_token}, ) assert response.status_code == 200 # 2 failures since the first time it will check twice - once due to @unauth_csrf # which will fall-through on error to form validation (which also fails). assert mp.success == 1 and mp.failure == 2
Example #2
Source File: test_csrf.py From flask-security with MIT License | 6 votes |
def test_cp_with_token(app, client): # Make sure can use returned CSRF-Token in Header. app.config["WTF_CSRF_ENABLED"] = True CSRFProtect(app) auth_token, csrf_token = json_login(client, use_header=True) # make sure returned csrf_token works in header. data = dict( password="password", new_password="battery staple", new_password_confirm="battery staple", ) with mp_validate_csrf() as mp: response = client.post( "/change", content_type="application/json", json=data, headers={"X-CSRF-Token": csrf_token}, ) assert response.status_code == 200 assert mp.success == 1 and mp.failure == 0 json_logout(client)
Example #3
Source File: test_csrf.py From flask-security with MIT License | 6 votes |
def test_csrf_cookie(app, client): app.config["WTF_CSRF_ENABLED"] = True app.config["WTF_CSRF_CHECK_DEFAULT"] = False CSRFProtect(app) json_login(client) found = False for cookie in client.cookie_jar: if cookie.name == "X-XSRF-Token": found = True assert cookie.path == "/" assert found # Make sure cleared on logout response = client.post("/logout", content_type="application/json") assert response.status_code == 200 assert "X-XSRF-Token" not in [c.name for c in client.cookie_jar]
Example #4
Source File: test_csrf.py From flask-security with MIT License | 6 votes |
def test_remember_login_csrf_cookie(app, client): # Test csrf cookie upon resuming a remember session app.config["WTF_CSRF_ENABLED"] = True CSRFProtect(app) # Login with remember_token generation json_login(client, use_header=True, remember=True) csrf_cookie = [c for c in client.cookie_jar if c.name == "X-XSRF-Token"][0] session_cookie = [c for c in client.cookie_jar if c.name == "session"][0] # Delete session and csrf cookie - we should always get new ones client.delete_cookie(csrf_cookie.domain, csrf_cookie.name) client.delete_cookie(session_cookie.domain, session_cookie.name) # Do a simple get request with the remember_token cookie present assert "remember_token" in [c.name for c in client.cookie_jar] response = client.get("/profile") assert response.status_code == 200 assert "session" in [c.name for c in client.cookie_jar] assert "X-XSRF-Token" in [c.name for c in client.cookie_jar] # Logout and check that everything cleans up nicely json_logout(client) assert "remember_token" not in [c.name for c in client.cookie_jar] assert "session" not in [c.name for c in client.cookie_jar] assert "X-XSRF-Token" not in [c.name for c in client.cookie_jar]
Example #5
Source File: test_csrf.py From flask-security with MIT License | 5 votes |
def test_login_csrf_json(app, client): app.config["WTF_CSRF_ENABLED"] = True with mp_validate_csrf() as mp: auth_token, csrf_token = json_login(client) assert auth_token assert csrf_token # Should be just one call to validate - since CSRFProtect not enabled. assert mp.success == 1 and mp.failure == 0 response = json_logout(client) session = get_session(response) assert "csrf_token" not in session
Example #6
Source File: test_csrf.py From flask-security with MIT License | 5 votes |
def test_login_csrf_json_header(app, client): app.config["WTF_CSRF_ENABLED"] = True CSRFProtect(app) with mp_validate_csrf() as mp: auth_token, csrf_token = json_login(client, use_header=True) assert auth_token assert csrf_token assert mp.success == 2 and mp.failure == 0 json_logout(client)
Example #7
Source File: test_csrf.py From flask-security with MIT License | 5 votes |
def test_cp_login_json_no_session(app, client_nc): # Test with global CSRFProtect on and not sending cookie - nothing works. app.config["WTF_CSRF_ENABLED"] = True CSRFProtect(app) # This shouldn't log in - and will return 400 with mp_validate_csrf() as mp: data = dict(email="matt@lp.com", password="password", remember="y") response = client_nc.post( "/login", content_type="application/json", json=data, headers={"Accept": "application/json"}, ) assert response.status_code == 400 # This still wont work since we don't send a session cookie response = client_nc.post( "/login", content_type="application/json", json=data, headers={"X-CSRF-Token": _get_csrf_token(client_nc)}, ) assert response.status_code == 400 # Although failed - CSRF should have been called assert mp.failure == 2
Example #8
Source File: test_csrf.py From flask-security with MIT License | 5 votes |
def test_cp_config2(app, client): # Test improper config (must have CSRFProtect configured if setting # CSRF_PROTECT_MECHANISMS app.config["WTF_CSRF_ENABLED"] = True # The check is done on first request. with pytest.raises(ValueError) as ev: logout(client) assert "CsrfProtect not part of application" in str(ev.value)
Example #9
Source File: test_csrf.py From flask-security with MIT License | 5 votes |
def test_different_mechanisms(app, client): # Verify that using token doesn't require CSRF, but sessions do app.config["WTF_CSRF_ENABLED"] = True app.config["WTF_CSRF_CHECK_DEFAULT"] = False CSRFProtect(app) with mp_validate_csrf() as mp: auth_token, csrf_token = json_login(client) # session based change password should fail data = dict( password="password", new_password="battery staple", new_password_confirm="battery staple", ) response = client.post( "/change", json=data, headers={"Content-Type": "application/json"} ) assert response.status_code == 400 assert b"The CSRF token is missing" in response.data # token based should work response = client.post( "/change", json=data, headers={ "Content-Type": "application/json", "Authentication-Token": auth_token, }, ) assert response.status_code == 200 assert mp.success == 1 and mp.failure == 2
Example #10
Source File: test_csrf.py From flask-security with MIT License | 5 votes |
def test_different_mechanisms_nc(app, client_nc): # Verify that using token and no session cookie works # Note that we had to disable unauth_endpoints since you can't log in # w/ CSRF if you don't send in the session cookie. app.config["WTF_CSRF_ENABLED"] = True app.config["WTF_CSRF_CHECK_DEFAULT"] = False CSRFProtect(app) with mp_validate_csrf() as mp: auth_token, csrf_token = json_login(client_nc) # token based should work data = dict( password="password", new_password="battery staple", new_password_confirm="battery staple", ) response = client_nc.post( "/change", json=data, headers={ "Content-Type": "application/json", "Authentication-Token": auth_token, }, ) assert response.status_code == 200 assert mp.success == 0 and mp.failure == 0
Example #11
Source File: test_csrf.py From flask-security with MIT License | 5 votes |
def test_cp_with_token_cookie(app, client): # Make sure can use returned CSRF-Token cookie in Header. app.config["WTF_CSRF_ENABLED"] = True CSRFProtect(app) json_login(client, use_header=True) # make sure returned csrf_token works in header. data = dict( password="password", new_password="battery staple", new_password_confirm="battery staple", ) csrf_token = [c.value for c in client.cookie_jar if c.name == "X-XSRF-Token"][0] with mp_validate_csrf() as mp: response = client.post( "/change", content_type="application/json", json=data, headers={"X-XSRF-Token": csrf_token}, ) assert response.status_code == 200 # 2 successes since the utils:csrf_cookie_handler will check assert mp.success == 2 and mp.failure == 0 json_logout(client) assert "X-XSRF-Token" not in [c.name for c in client.cookie_jar]
Example #12
Source File: test_csrf.py From flask-security with MIT License | 5 votes |
def test_cp_with_token_cookie_refresh(app, client): # Test CSRF_COOKIE_REFRESH_EACH_REQUEST app.config["WTF_CSRF_ENABLED"] = True CSRFProtect(app) json_login(client, use_header=True) # make sure returned csrf_token works in header. data = dict( password="password", new_password="battery staple", new_password_confirm="battery staple", ) csrf_cookie = [c for c in client.cookie_jar if c.name == "X-XSRF-Token"][0] with mp_validate_csrf() as mp: # Delete cookie - we should always get a new one client.delete_cookie(csrf_cookie.domain, csrf_cookie.name) response = client.post( "/change", content_type="application/json", json=data, headers={"X-XSRF-Token": csrf_cookie.value}, ) assert response.status_code == 200 csrf_cookie = [c for c in client.cookie_jar if c.name == "X-XSRF-Token"][0] assert csrf_cookie assert mp.success == 1 and mp.failure == 0 json_logout(client) assert "X-XSRF-Token" not in [c.name for c in client.cookie_jar]
Example #13
Source File: app.py From incubator-superset with Apache License 2.0 | 5 votes |
def configure_wtf(self) -> None: if self.config["WTF_CSRF_ENABLED"]: csrf = CSRFProtect(self.flask_app) csrf_exempt_list = self.config["WTF_CSRF_EXEMPT_LIST"] for ex in csrf_exempt_list: csrf.exempt(ex)
Example #14
Source File: test_flask_dropzone.py From flask-dropzone with MIT License | 5 votes |
def setUp(self): self.app = Flask(__name__) self.app.testing = True self.app.secret_key = 'for test' dropzone = Dropzone(self.app) # noqa csrf = CSRFProtect(self.app) # noqa self.dropzone = _Dropzone @self.app.route('/upload') def upload(): pass @self.app.route('/') def index(): return render_template_string(''' {{ dropzone.load_css() }}\n{{ dropzone.create(action_view='upload') }} {{ dropzone.load_js() }}\n{{ dropzone.config() }}''') @self.app.route('/load') def load(): return render_template_string(''' {{ dropzone.load() }}\n{{ dropzone.create(action_view='upload') }}''') self.context = self.app.test_request_context() self.context.push() self.client = self.app.test_client()