Fix csrf configuration

CSRF has been initialized *before* the app config was fully read. That made it impossible to configure CSRF properly. Moved the CSRF init into the routes module, and switched from programmatic to decorated exemptions. GET routes don't need to be exempted because they are by default.
2025-07-02 04:16:19 +00:00 · 2022-05-27 12:53:19 +02:00
parent 2c0225e961
commit 3e462dab17
5 changed files with 31 additions and 29 deletions
--- a/powerdnsadmin/routes/index.py
+++ b/powerdnsadmin/routes/index.py
@ -10,7 +10,7 @@ from yaml import Loader, load
 from flask import Blueprint, render_template, make_response, url_for, current_app, g, session, request, redirect, abort
 from flask_login import login_user, logout_user, login_required, current_user

-from .base import login_manager
+from .base import csrf, login_manager
 from ..lib import utils
 from ..decorators import dyndns_login_required
 from ..models.base import db
@ -763,6 +763,7 @@ def resend_confirmation_email():


@index_bp.route('/nic/checkip.html', methods=['GET', 'POST'])
+@csrf.exempt
 def dyndns_checkip():
    # This route covers the default ddclient 'web' setting for the checkip service
    return render_template('dyndns.html',
@ -771,6 +772,7 @@ def dyndns_checkip():


@index_bp.route('/nic/update', methods=['GET', 'POST'])
+@csrf.exempt
@dyndns_login_required
 def dyndns_update():
    # dyndns protocol response codes in use are:
@ -961,6 +963,7 @@ def saml_metadata():


@index_bp.route('/saml/authorized', methods=['GET', 'POST'])
+@csrf.exempt
 def saml_authorized():
    errors = []
    if not current_app.config.get('SAML_ENABLED'):