Don't disable CSRF tokens.

[usrbinsam]

Disabling CSRF tokens to get this to work is unnecessary, and doing so is a bad idea.

Flask-WTF does not make retrieving the CSRF token convenient but it's easy to do with the help of the BeautifulSoup module. Or any other HTML parser to get the token out of the <input> tag on the login page.

import json
import requests
from bs4 import BeautifulSoup

def getLoginToken(address, email, password):

    client = requests.session()

    soup = BeautifulSoup(client.get(address).text, "html.parser")
    csrf = soup.find("input", { "name": "csrf_token" })["value"]

    login_data = json.dumps({
        "email": email,
        "password": password,
        "csrf_token": csrf
    })

    r = client.post(address, data=login_data, headers={ "content-type": "application/json" })

    print(r.json())

getLoginToken("http://127.0.0.1:5000/login", "sam@example.com", "hunter2")

[karlloic]

Good answer @miniCruzer However this does not solve the bigger issue here