Skip to content
This repository has been archived by the owner on Feb 22, 2024. It is now read-only.

Add CSRF protection to social route #24

Open
eriktaubeneck opened this issue Nov 25, 2013 · 5 comments
Open

Add CSRF protection to social route #24

eriktaubeneck opened this issue Nov 25, 2013 · 5 comments
Assignees
@eriktaubeneck
Labels
enhancement

Comments

@eriktaubeneck
Copy link
Collaborator

Flask-WTF has a great function, CsrfProtect that will raise an exception whenever a non-GET request is made if the route doesn't check for a form validation. In fact, without this, functions like remove_connections are currently vulnerable to a csrf attack.

Implementation is fairly simple. In the view functions we just:

from flask_wtf import Form
...
def view_func():
    form = Form()
    if form.validate_on_submit():
        #do stuff

and in the template, when any such form if used, we just add:

<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>

@mattupstate wanted to get your opinion on implementation before I work too far on this. @talos will likely also be working with me on it as well, so if any input from either of you would be great.
I was thinking for the first part, we'd want to wrap it in a config check, app.config['CSRF_ENABLED'] that is set by calling the CsrfProtect function. It might be useful to also set an override, app.config['SOCIAL_CSRF_ENABLED'], but this might be overkill and over complicated.

Also, the template stuff is obviously a change to Flask-Social-Example. I think it makes sense to turn it on for the example, both since it's a good practice to use something like CsrfProtect, and so that we can have the example reflecting that use case.
@ghost ghost assigned eriktaubeneck Nov 25, 2013
@eriktaubeneck eriktaubeneck mentioned this issue Jan 9, 2014
Closed
@mattupstate
Copy link
Collaborator

@eriktaubeneck I'm not sure its necessary. While the forms do require a POST to get the OAuth flow started, we're not manipulating any data on the server in the context of that request.

@eriktaubeneck
Copy link
Collaborator Author

remove_all_connections and remove_connection would both delete data in your datastore if attacked. Moreover, if you want to use the CsrfProtect function that Flask-WTF provides, it breaks all of the social routes.

@mattupstate
Copy link
Collaborator

Ah, fair enough. Lets definitely look into this, then.

@eriktaubeneck eriktaubeneck mentioned this issue Feb 19, 2014
Open
5 tasks
@abendebury
Copy link

Hi guys - any updates on this? I'm trying to use Flask-Social on my site and I'm having issues because my other forms are csrf protected but Flask-Social's forms aren't.

@abendebury abendebury mentioned this issue May 4, 2014
Open
@italomaia
Copy link

Hello @mattupstate @eriktaubeneck any updates? Need help?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@eriktaubeneck eriktaubeneck

Labels
enhancement
Milestone
No milestone
Development

No branches or pull requests
4 participants
@italomaia @abendebury @mattupstate @eriktaubeneck