This PR integrates CSRF protection into the login process to enhance security. Changes include:
Generating a CSRF token upon rendering the sign up, login, and change password pages.
Including the CSRF token as a hidden field in the associated templates.
Validating the CSRF token in the POST request against the session-stored token.
Handling errors to reject requests where the CSRF tokens do not match with a 400 error.
Non-obvious technical information
We use Flask-WTF's generate_csrf() to create and validate tokens that secure forms against CSRF attacks.
The token validation depends on the user's session, and incorrect or missing tokens result in an error, preventing potential CSRF attacks.
This setup ensures our login mechanism is secure against unauthorized cross-site requests.
Checklist before requesting a review
[ ] pre-commit run --all-files (run before pushing)
Describe your changes
This PR integrates CSRF protection into the login process to enhance security. Changes include:
Non-obvious technical information
We use Flask-WTF's
generate_csrf()to create and validate tokens that secure forms against CSRF attacks. The token validation depends on the user's session, and incorrect or missing tokens result in an error, preventing potential CSRF attacks.This setup ensures our login mechanism is secure against unauthorized cross-site requests.
Checklist before requesting a review