Metadata-Version: 2.1
Name: flask-simple-csrf
Version: 1.0.0
Summary: Extremely simple, "Good Enough" csrf implemention for flask forms.
Home-page: https://github.com/cc-d/flask-simple-csrf
Author: Cary Carter
Author-email: ccarterdev@gmail.com
License: MIT
Platform: UNKNOWN
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.7
Description-Content-Type: text/markdown
Requires-Dist: Werkzeug (==0.16.0)

# Install
`pip3 install flask-simple-csrf`
or if installing from source
```python3 setup.py install```

# How to use
This package is intended to assign a unique CSRF string per each form submit per user session, without requiring any backend session tracking. First, you'll want to set a variable `SECRET_CSRF_KEY` in your app config to a random, complex string. Example: `SECRET_CSRF_KEY = 'wMmeltW4mhwidorQRli6Oxx9VPXldz'`

Second, you probably want to add somthing like this to the top of your code:

```
import flask_simple_csrf as CSRF
app = CSRF.init_app(app)

@app.before_request
def before_request():
        if 'CSRF_TOKEN' not in session or 'USER_CSRF' not in session:
            session['USER_CSRF'] = random_string(64)
            session['CSRF_TOKEN'] = CSRF.create(session['USER_CSRF'])
```

Each user session should have a unique CSRF string which changes on form submit.

In the HTML templates you want to protect, add: `{{ csrf_html(session['USER_CSRF'])|safe }}`

This will create something like this: `<input type="hidden" value="9D..." name="simplecsrf">`

I'd reccommend creating a wrapper to avoid code duplciation when checking for this value. Something like:
```
def require_csrf(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        if request.method == 'POST':
            user_csrf = request.form.get('simplecsrf')

            if CSRF.verify(user_csrf, session['CSRF_TOKEN']) is False:
                flash('submitted csrf does not match combined server & user keys')
                return logout()

            clear_csrf_tokens()
            flash('csrf user token and server token match', 'success')

            return f(*args, **kwargs)
        else:
            return f(*args, **kwargs)
    return decorated
```

Then use the @require_csrf decorator before each flask view you'd like to require the check.




