search

dpgaspar / Flask-AppBuilder

Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Demo (login with guest/welcome) - http://flaskappbuilder.pythonanywhere.com/
BSD 3-Clause "New" or "Revised" License
4.71k stars 1.36k forks source link

Feature Request: Make the `login`/`logout` methods in `AuthView` configurable #2248

Open shahar1 opened 5 months ago

shahar1 commented 5 months ago

In Apache Airflow, we have a use case for protecting the logout route from CSRF attacks (https://github.com/apache/airflow/issues/33030), and for that we need to convert the methods of logout route in AuthView to ["POST"] only. As we use the default configuration, we need to override the method manually which is a bit hacky. It would be nice if we could make the login and logout methods in AuthView configurable, somewhat like the following snippet:


conf = {
    "login_methods": ["POST"],
    "logout_methods": ["POST"}
    ...
}

class AuthView(BaseView):
    route_base = ""
    login_template = ""
    invalid_login_message = lazy_gettext("Invalid login. Please try again.")
    title = lazy_gettext("Sign In")

    @expose("/login/", methods=conf["login_methods"]) # <-
    def login(self):
        pass

    @expose("/logout/", methods=conf["logout_methods"]) # <-
    def logout(self):
        logout_user()
        return redirect(
            self.appbuilder.app.config.get(
                "LOGOUT_REDIRECT_URL", self.appbuilder.get_url_for_index
            )
        )