{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 相关推荐>> 的问题《Flask-Security CSRF token》','https://www.manongdao.com/q-522737.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a flask app that serves as REST API backend. I would like to implement token based authentication for the backend but in order to do that I need to retrieve the user token. Flask-Security documentation clearly says that to retrieve the token one needs to perform an HTTP POST with the authentication details as JSON data to the authentication endpoint. Unfortunately I don't understand how to retrieve the CSRF token needed to perform such request.
If I use the login page/template provided with the extension the CSRF token is passed to the client in the hidden field in the form. The question is:
how do I retrieve the CSRF token without accessing and parsing the login page, like for example from an angularJS app using $http methods or a mobile app?
Obviously I could avoid using Flask-Security and implement the pieces myself but I'm relatively inexperienced with webapps and I feel I might be approaching this the wrong way.
I fought with this problem for hours last night. Here's what ended up working for me:
When I create my app instance:
In my /login HTML:
From Postman:
Here was an alternative I tried, and maybe this will be more successful? This is basically the same reply that the flask-security example apps give:
I had a similar use case and ended solving it by following this example from the Flask-WTF docs: https://flask-wtf.readthedocs.org/en/latest/csrf.html#ajax
So by CSRF Protecting the app via
CsrfProtect(app), the csrf_token() becomes available in all templates. Then you can easily make it available via a script tag:Now add the token to your post data for the Flask-Security /login endpoint.
I haven't tested that this works, but from briefly inspecting the source code it appears you have to send a GET request to the login URL with the content type set to
application/json. Flask-Security responds to this request with a JSON version of the login form and that includes the token. Once you have the token you can send the POST request.Well, there is a simple way. Visit. A configuration item WTF_CSRF_ENABLED could be set to False to disable the csrf. Then everything goes as you wish.
[Writing as an an answer since I do not have enough reputation to comment]
I have run into exact same problem as Jacopo, in that - request.json is empty and thus get_auth_token() is not triggered.
BTW - Flask Security documentation says :
So I tried POST, not GET (Still same problem of empty request.json) I called /login with json data as :
and sent a request using Postman client in Google Chrome.
Yet, request.json is empty :(
Edit : I was able to move forward using python's request module. Details here