maxcountryman / flask-seasurf

SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF).
http://readthedocs.org/docs/flask-seasurf/
Other
190 stars 49 forks source link

Updating documentation for specifying TESTING=True disabled token generation #67

Closed ninadmhatre closed 7 years ago

ninadmhatre commented 7 years ago

I have a project with 30-odd files py files with multiple config files which are loaded as per the environment is set (like default + [DEV|UAT|PROD]). I was integrating CSRF with my application and it was just not working, i tried it for 1+ hrs and thought something is wrong in my app. i tried on another simple Flask app and it worked within a minute on both Python 2 & 3. I spent some time on google to look for reason behind generating "Empty" token but it was of no help!

Finally i decided to debug the code (which i should have done it first and within 5 minutes i discovered the code self._csrf_disable = app.config.get('CSRF_DISABLE', app.config.get('TESTING', False)) . i don't remember how or when this was set but after changing TESTING = False it worked. sadly i wasted around 2+ hours on this.

Please update the documentation to include warning / info, mentioning TESTING = True will disable generation of tokens and if it's not too much don't return silently on TESTING mode, add some warning like one below

# not properly indented!
def _before_request(self):
      if self._csrf_disable:
           import warning  # this would be at the top
           warnings.warn('Warning: Running application in TESTING mode, TESTING is set to True in config!')
maxcountryman commented 7 years ago

https://github.com/maxcountryman/flask-seasurf/blob/d8cfcc71b7d5f87931cdd07f12d0108fc8d3b0a2/flask_seasurf.py#L221-L222

If you'd like to provide additional documentation, you're more than welcome to provide a pull request. Thanks!