forked from 3wordchant/capsul-flask
implement anti-csrf measures in all posted forms
This commit is contained in:
@ -1,6 +1,8 @@
|
||||
import functools
|
||||
import re
|
||||
|
||||
from nanoid import generate
|
||||
|
||||
from flask import Blueprint
|
||||
from flask import flash
|
||||
from flask import current_app
|
||||
@ -22,7 +24,7 @@ def account_required(view):
|
||||
|
||||
@functools.wraps(view)
|
||||
def wrapped_view(**kwargs):
|
||||
if session.get("account") is None:
|
||||
if session.get("account") is None or session.get("csrf-token") is None :
|
||||
return redirect(url_for("auth.login"))
|
||||
|
||||
return view(**kwargs)
|
||||
@ -69,6 +71,8 @@ def magiclink(token):
|
||||
if email is not None:
|
||||
session.clear()
|
||||
session["account"] = email
|
||||
session["csrf-token"] = generate()
|
||||
|
||||
return redirect(url_for("console.index"))
|
||||
else:
|
||||
# this is here to prevent xss
|
||||
|
||||
Reference in New Issue
Block a user