Flask-WTF对CSRF令牌设置时间限制 [英] Flask-WTF set time limit on CSRF token
问题描述
我目前正在使用Flask-WTF v0.13.1,我的网站上有一些表格,所有表格都包含CSRF令牌.
I'm currently using Flask-WTF v0.13.1, i have a few forms on my website, all created including the CSRF token.
由于某些原因,我必须在每种表单上设置不同的到期时间,到目前为止,我可以在创建csrf令牌时手动设置 time_limit
值.
For some reasons i have to set a different expiration on each form, so far i could set manually the time_limit
value upon creating the csrf token.
根据更改日志 time_limit
不见了,文档中也没有关于如何更改它的参考.在源代码中,我看到该表单具有 csrf_time_limit
元参数.
I would like to update to the v0.14, according to the changelog time_limit
is gone and there is no reference in the docs on how to change it anymore.
Looking in the source code i saw that the form has a csrf_time_limit
meta parameter.
我试图在表单上设置该参数:
I tried to set that parameter on my form:
from flask_wtf import FlaskForm
class myForm(FlaskForm):
class Meta:
csrf_time_limit = 7200
content = TextAreaField('content')
Although debugging the csrf.py
module i see that the validate_csrf_token
of _FlaskFormCSRF
is actually never called.
相反,在方法 protect()
中调用方法 validate_csrf
,在这种情况下,永不考虑元参数.
The method validate_csrf
is called within the method protect()
instead, in this case the meta parameter is never considered.
我不知道这是否是程序包中的错误,或者我是否缺少某些东西.
I don't understand if this is a bug of the package or if i'm missing something.
更新:
示例代码:
app.py
from flask import Flask, render_template, request
from flask_wtf.csrf import CSRFProtect
from flask_wtf import FlaskForm
from wtforms import IntegerField
csrf = CSRFProtect()
app = Flask(__name__)
app.config.update(dict(
SECRET_KEY="super secret key"
))
csrf.init_app(app)
class MyForm(FlaskForm):
class Meta:
csrf_time_limit = 1
id = IntegerField('id')
@app.route("/", methods=['GET', 'POST'])
def test_form_csrf():
if request.method == 'POST':
myForm = MyForm(request.form)
print(myForm.id.data)
return render_template('test_form.html', myForm= MyForm())
templates/test_form.html
templates/test_form.html
<form method="post" action="/">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
{{ myForm.id }}
<input type="submit" value="test" />
</form>
requirements.txt
requirements.txt
click==6.7
Flask==0.12.2
Flask-WTF==0.14.2
itsdangerous==0.24
Jinja2==2.10
MarkupSafe==1.0
Werkzeug==0.14.1
WTForms==2.1
项目结构
app.py
templates
|
--- test_form.html
要运行代码,
FLASK_APP=app.py flask run
我还在此行上放置了一个调试断点检查 time_limit
的实际值,该值始终为 3600
.
I also put a debug breakpoint on this line to check the actual value of time_limit
, the value is always 3600
.
推荐答案
按照您的这些行:
Following your changelog link, I looked through the commit and found these lines:
if time_limit is None:
time_limit = current_app.config.get('WTF_CSRF_TIME_LIMIT', 3600)
将 app.config ['WTF_CSRF_TIME_LIMIT']
设置为一些较短的值似乎可行.我已使用 app.config ['WTF_CSRF_TIME_LIMIT'] = 30
将其设置为30秒,并且表单在该时间段后过期,但是我没有尝试使用比默认值更长的值.
Setting app.config['WTF_CSRF_TIME_LIMIT']
to some shorter value seems to work. I have set it to 30 seconds with app.config['WTF_CSRF_TIME_LIMIT'] = 30
and the form expired after that amount of time, but I have not tried a longer value than the default.
我不确定是否可以即时更改app.config值,以解决无法为每个表单设置过期时间的问题.
I am not sure if you can change an app.config value on the fly in order to hack your way around not being able to set an expiration per form.
这篇关于Flask-WTF对CSRF令牌设置时间限制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!