Enable the CSRF check for the login page

activitypub.py

@@ -293,6 +293,8 @@ class BaseActivity(object):
     def _should_purge_cache(self) -> bool:
         raise NotImplementedError
 
+    # FIXME(tsileo): _pre_process_from_inbox, _pre_post_to_outbox, allow to prevent saving, check for undo, delete, update both inbox and outbox
+
     def process_from_inbox(self) -> None:
         logger.debug(f'calling main process from inbox hook for {self}')
         self.verify()
@@ -719,7 +721,6 @@ class Update(BaseActivity):
         # TODO(tsileo): implements _should_purge_cache if it's a reply of a published activity (i.e. in the outbox)
 
     def _post_to_outbox(self, obj_id: str, activity: ObjectType, recipients: List[str]) -> None:
-        print('UPDATE')
         obj = self._data['object']
 
         update_prefix = 'activity.object.'

app.py

@@ -73,7 +73,7 @@ app.secret_key = get_secret_key('flask')
 app.config.update(
     WTF_CSRF_CHECK_DEFAULT=False,
 )
-# csrf = CSRFProtect(app)
+csrf = CSRFProtect(app)
 
 logger = logging.getLogger(__name__)
 
@@ -287,6 +287,7 @@ def login():
     devices = [doc['device'] for doc in DB.u2f.find()]
     u2f_enabled = True if devices else False
     if request.method == 'POST':
+        csrf.protect()
         pwd = request.form.get('pass')
         if pwd and verify_pass(pwd):
             if devices:

templates/login.html

@@ -8,6 +8,7 @@
 	{% if session.logged_in %}logged{% else%}not logged{%endif%}
 
 <form id="login-form" method="POST">
+	 <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
 	<input type="password" name="pass" placeholder="password">
 	{% if u2f_enabled %}
 	<input type="hidden" name="resp" id="sig-payload" value="">