added flask-seasurf for csrf protection

requirements.txt

@@ -8,10 +8,14 @@ brotli==1.0.9
  # via strong-but-simple-passwords (setup.py)
 click==7.1.2
  # via flask
+flask-seasurf==0.3.0
+ # via strong-but-simple-passwords (setup.py)
 flask-talisman==0.7.0
  # via strong-but-simple-passwords (setup.py)
 flask==1.1.2
- # via strong-but-simple-passwords (setup.py)
+ # via
+ # flask-seasurf
+ # strong-but-simple-passwords (setup.py)
 gunicorn==20.0.4
  # via strong-but-simple-passwords (setup.py)
 itsdangerous==1.1.0

setup.py

@@ -5,5 +5,12 @@
  version="0.1.0",
  packages=find_packages(),
  include_package_data=True,
- install_requires=["flask", "flask-talisman", "whitenoise", "brotli", "gunicorn"],
+ install_requires=[
+ "flask",
+ "flask-talisman",
+ "flask-seasurf",
+ "whitenoise",
+ "brotli",
+ "gunicorn",
+ ],
 )

strong_but_simple_passwords/__init__.py

@@ -1,5 +1,6 @@
 from flask import Flask
 from flask_talisman import Talisman
+from flask_seasurf import SeaSurf
 from whitenoise import WhiteNoise
 from pathlib import Path
 from .config import get_config_from_env_vars
@@ -17,6 +18,9 @@ def create_app(config=None):
 
  app.add_url_rule("/", "index", view_func=views.index, methods=("GET", "POST"))
 
+ # add CSRF protection
+ SeaSurf(app)
+
  # use whitenoise to serve static files
  static_root = Path(__file__).parent / "static/"
  app.wsgi_app = WhiteNoise(app.wsgi_app, root=static_root, prefix="static/")

strong_but_simple_passwords/templates/index.html

@@ -44,6 +44,7 @@ <h3>2. Only keep the first 3 letters of each word</h3>
  <h3>3. Put a random symbol somewhere in between</h3>
  </li>
  </ol>
+ <input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
  <button type="submit">Generate password!</button>
  </form>
  </main>