Don't disable CSRF tokens.

Question

Don't disable CSRF tokens.

usrbinsam opened this issue 7 years ago · 1 comments

Disabling CSRF tokens to get this to work is unnecessary, and doing so is a bad idea.

Flask-WTF does not make retrieving the CSRF token convenient but it's easy to do with the help of the BeautifulSoup module. Or any other HTML parser to get the token out of the <input> tag on the login page.

import json
import requests
from bs4 import BeautifulSoup

def getLoginToken(address, email, password):

    client = requests.session()

    soup = BeautifulSoup(client.get(address).text, "html.parser")
    csrf = soup.find("input", { "name": "csrf_token" })["value"]

    login_data = json.dumps({
        "email": email,
        "password": password,
        "csrf_token": csrf
    })

    r = client.post(address, data=login_data, headers={ "content-type": "application/json" })

    print(r.json())

getLoginToken("http://127.0.0.1:5000/login", "sam@example.com", "hunter2")

Answer 1 · 2017-08-19T19:41:11.000Z

Good answer @miniCruzer However this does not solve the bigger issue here