search

audiodude / rainfall

Bandcamp exodus solution, letting you create personal artist sites using Faircamp
https://rainfall.dev
MIT License
12 stars 0 forks source link

Add CSRF protection #34

Closed audiodude closed 10 months ago

audiodude commented 11 months ago

The way this works:

  1. All non-GET requests in the app are protected by flask-seasurf and require a CSRF token.
  2. Frontend methods that call the API via POST first request /api/v1/csrf which sets the CSRF token in a cookie.
  3. The frontend method contnues, extracting the token from the cookie and passing it in the X-CSRFToken header.
  4. The seasurf middleware checks the token and allows or denies the request.

A request that fails via CSRF mismatch will be a 400 and the UI will display a "something went wrong" message, depending on the action being taken.

codecov-commenter commented 11 months ago

Codecov Report

Attention: 4 lines in your changes are missing coverage. Please review.

Comparison is base (234b8fa) 95.00% compared to head (2d4da0c) 94.97%.

Files Patch % Lines
rainfall/blueprint/user.py 93.02% 3 Missing :warning:
rainfall/main.py 90.00% 1 Missing :warning:

:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #34 +/- ## ========================================== - Coverage 95.00% 94.97% -0.03% ========================================== Files 24 24 Lines 1221 1235 +14 ========================================== + Hits 1160 1173 +13 - Misses 61 62 +1 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.