Use WTF CSRF protection for login form instead of JWT CSRF protection

manisandro · manisandro · commit 63718b2f1510 · 2024-11-17T18:28:25.000+01:00
JWT CSRF protection does nothing if no JWT is passed in the request (i.e. if user is not logged in)
diff --git a/src/db_auth.py b/src/db_auth.py
@@ -128,14 +128,6 @@ def tenant_base(self):
         prefix = self.app.session_interface.get_cookie_path(self.app)
         return prefix.rstrip('/') + '/'
 
-    def csrf_token(self):
-        """ Inject CSRF token """
-        token = (get_jwt() or {}).get("csrf")
-        if token:
-            return token
-        else:
-            return ""
-
     def login(self):
         """Authorize user and sign in."""
         target_url = url_path(request.args.get('url') or self.tenant_base())
@@ -241,8 +233,7 @@ def login(self):
 
         return render_template('login.html', form=form, i18n=i18n,
                             title=i18n.t("auth.login_page_title"),
-                            login_hint=self.login_hint,
-                            csrf_token=self.csrf_token())
+                            login_hint=self.login_hint)
 
     def verify_login(self):
         """Verify user login (e.g. from basic auth header)."""
@@ -314,8 +305,7 @@ def __verify(self, db_session, submit=True):
                 return redirect(url_for('login'))
 
         return render_template('verify.html', form=form, i18n=i18n,
-                               title=i18n.t("auth.verify_page_title"),
-                               csrf_token=self.csrf_token())
+                               title=i18n.t("auth.verify_page_title"))
 
     def logout(self, identity):
         """Sign out."""
@@ -393,8 +383,7 @@ def __setup_totp(self, db_session, submit=True):
         resp = make_response(render_template(
             'qrcode.html', form=form, i18n=i18n,
             title=i18n.t("auth.qrcode_page_title"),
-            totp_secret=totp_secret,
-            csrf_token=self.csrf_token()
+            totp_secret=totp_secret
         ))
         # do not cache in browser
         resp.headers.set(
@@ -488,8 +477,7 @@ def new_password(self):
                         flash(i18n.t("auth.reset_mail_failed"))
                         return render_template(
                             'new_password.html', form=form, i18n=i18n,
-                            title=i18n.t("auth.new_password_page_title"),
-                            csrf_token=self.csrf_token()
+                            title=i18n.t("auth.new_password_page_title")
                         )
                 else:
                     self.logger.info("User lookup failed")
@@ -500,8 +488,7 @@ def new_password(self):
 
         return render_template(
             'new_password.html', form=form, i18n=i18n,
-            title=i18n.t("auth.new_password_page_title"),
-            csrf_token=self.csrf_token()
+            title=i18n.t("auth.new_password_page_title")
         )
 
     def edit_password(self, token, identity=None):
@@ -535,8 +522,7 @@ def edit_password(self, token, identity=None):
                         else:
                             return render_template(
                                 'edit_password.html', form=form, i18n=i18n,
-                                title=i18n.t("auth.edit_password_page_title"),
-                                csrf_token=self.csrf_token()
+                                title=i18n.t("auth.edit_password_page_title")
                             )
 
                     if not self.password_accepted(
@@ -555,8 +541,7 @@ def edit_password(self, token, identity=None):
 
                         return render_template(
                             'edit_password.html', form=form, i18n=i18n,
-                            title=i18n.t("auth.edit_password_page_title"),
-                            csrf_token=self.csrf_token()
+                            title=i18n.t("auth.edit_password_page_title")
                         )
 
                     # save new password
@@ -581,16 +566,14 @@ def edit_password(self, token, identity=None):
                     else:
                         return render_template(
                             'edit_password.html', form=form, i18n=i18n,
-                            title=i18n.t("auth.edit_password_page_title"),
-                            csrf_token=self.csrf_token()
+                            title=i18n.t("auth.edit_password_page_title")
                         )
                 else:
                     # invalid reset token
                     flash(i18n.t("auth.edit_password_invalid_token"))
                     return render_template(
                         'edit_password.html', form=form, i18n=i18n,
-                        title=i18n.t("auth.edit_password_page_title"),
-                        csrf_token=self.csrf_token()
+                        title=i18n.t("auth.edit_password_page_title")
                     )
 
         if token:
@@ -599,8 +582,7 @@ def edit_password(self, token, identity=None):
 
         return render_template(
             'edit_password.html', form=form, i18n=i18n,
-            title=i18n.t("auth.edit_password_page_title"),
-            csrf_token=self.csrf_token()
+            title=i18n.t("auth.edit_password_page_title")
         )
 
     def require_password_change(self, user, reason, target_url):
@@ -633,8 +615,7 @@ def require_password_change(self, user, reason, target_url):
         flash(i18n.t('auth.edit_password_message'))
         return render_template(
             'edit_password.html', form=form, i18n=i18n,
-            title=i18n.t("auth.edit_password_page_title"),
-            csrf_token=self.csrf_token()
+            title=i18n.t("auth.edit_password_page_title")
         )
 
     def edit_password_form(self):
@@ -819,13 +800,11 @@ def __login_response(self, user, target_url):
                 'notification.html', form=form, i18n=i18n,
                 title=i18n.t("auth.notification_page_title"),
                 message=i18n.t("auth.notification_expiry_notice", days=days),
-                target_url=target_url,
-                csrf_token=self.csrf_token()
+                target_url=target_url
             )
             resp = make_response(page)
 
-        # Set the JWTs and the CSRF double submit protection cookies
-        # in this response
+        # Set the JWTs in this response
         set_access_cookies(resp, access_token)
 
         return resp
@@ -869,14 +848,12 @@ def send_reset_passwort_instructions(self, user):
             msg.body = render_template(
                 'reset_password_instructions.%s.txt' % i18n.get('locale'),
                 user=user, reset_url=reset_url,
-                unlock_url=unlock_url,
-                csrf_token=self.csrf_token()
+                unlock_url=unlock_url
             )
         except:
             msg.body = render_template(
                 'reset_password_instructions.en.txt',
-                user=user, reset_url=reset_url,
-                csrf_token=self.csrf_token()
+                user=user, reset_url=reset_url
             )
 
         # send message
diff --git a/src/server.py b/src/server.py
@@ -26,6 +26,10 @@
 app.config['SESSION_COOKIE_SECURE'] = app.config['JWT_COOKIE_SECURE']
 app.config['SESSION_COOKIE_SAMESITE'] = app.config['JWT_COOKIE_SAMESITE']
 
+# For login CSRF protection, use WTF CSRF protection (as no JWT is available before login)
+os.environ['JWT_COOKIE_CSRF_PROTECT'] = 'False'
+app.config['WTF_CSRF_ENABLED'] = True
+
 jwt = auth_manager(app)
 app.secret_key = app.config['JWT_SECRET_KEY']
 
@@ -35,9 +39,7 @@
 # *Enable* WTForms built-in messages translation
 # https://wtforms.readthedocs.io/en/2.3.x/i18n/
 app.config['WTF_I18N_ENABLED'] = False
-# WTF CSRF protection conflicts with JWT CSRF protection
-# https://github.com/vimalloc/flask-jwt-extended/issues/15
-app.config['WTF_CSRF_ENABLED'] = False
+
 
 # https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-v-user-logins
 login = LoginManager(app)
@@ -89,7 +91,6 @@ def load_user(id):
 
 
 @app.route('/login', methods=['GET', 'POST'])
-@optional_auth
 def login():
     return db_auth_handler().login()
 
diff --git a/src/templates/base.html b/src/templates/base.html
@@ -17,8 +17,7 @@
         {% if form.background %}
         <div class="form-background" style="background-image: url('{{form.background}}');">
         {% endif %}
-        {% set form_errors = form.errors.get('csrf_token', []) if form else [] %}
-        {% with messages = get_flashed_messages() + form_errors %}
+        {% with messages = get_flashed_messages() %}
         {% if messages %}
         <ul>
             {% for message in messages %}
diff --git a/src/templates/edit_password.html b/src/templates/edit_password.html
@@ -4,7 +4,6 @@
     <h1>{{ i18n.t('auth.edit_password_page_title') }}</h1>
     <form action="{{ url_for('edit_password') }}" method="post">
         {{ form.hidden_tag() }}
-        <input id="csrf_token" name="csrf_token" type="hidden" value="{{ csrf_token }}">
         <div class="login edit-password">
             <div class="login-screen">
                 <div class="app-title">
diff --git a/src/templates/login.html b/src/templates/login.html
@@ -3,7 +3,6 @@
 {% block content %}
     <form action="" method="post" autocomplete="off">
         {{ form.hidden_tag() }}
-        <input id="csrf_token" name="csrf_token" type="hidden" value="{{ csrf_token }}">
         <div class="login">
             <div class="login-screen">
                 <div class="app-title">
diff --git a/src/templates/new_password.html b/src/templates/new_password.html
@@ -4,7 +4,6 @@
     <h1>{{ i18n.t('auth.new_password_page_title') }}</h1>
     <form action="" method="post">
         {{ form.hidden_tag() }}
-        <input id="csrf_token" name="csrf_token" type="hidden" value="{{ csrf_token }}">
         <div class="login new-password">
             <div class="login-screen">
                 <div class="app-title">
diff --git a/src/templates/notification.html b/src/templates/notification.html
@@ -3,7 +3,6 @@
 {% block content %}
     <h1>{{ i18n.t('auth.notification_page_title') }}</h1>
     <form action="#" method="get">
-        <input id="csrf_token" name="csrf_token" type="hidden" value="{{ csrf_token }}">
         <div class="login notification">
             <div class="login-screen">
                 <div class="app-title">
diff --git a/src/templates/qrcode.html b/src/templates/qrcode.html
@@ -4,7 +4,6 @@
     <h1>{{ i18n.t('auth.qrcode_page_title') }}</h1>
     <form action="{{ url_for('setup_totp') }}" method="post">
         {{ form.hidden_tag() }}
-        <input id="csrf_token" name="csrf_token" type="hidden" value="{{ csrf_token }}">
         <div class="login totp-setup">
             <div class="login-screen">
                 <div class="app-title">
diff --git a/src/templates/verify.html b/src/templates/verify.html
@@ -4,7 +4,6 @@
     <h1>{{ i18n.t('auth.verify_page_title') }}</h1>
     <form action="{{ url_for('verify') }}" method="post">
         {{ form.hidden_tag() }}
-        <input id="csrf_token" name="csrf_token" type="hidden" value="{{ csrf_token }}">
         <div class="login verify">
             <div class="login-screen">
                 <div class="app-title">
