Merge pull request #66 from trein/master

Enable CSRF protection

{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/app.py

@@ -4,7 +4,7 @@ from flask import Flask, render_template
 
 from {{cookiecutter.app_name}} import public, user
 from {{cookiecutter.app_name}}.assets import assets
-from {{cookiecutter.app_name}}.extensions import bcrypt, cache, db, debug_toolbar, login_manager, migrate
+from {{cookiecutter.app_name}}.extensions import bcrypt, cache, db, debug_toolbar, csrf_protect, login_manager, migrate
 from {{cookiecutter.app_name}}.settings import ProdConfig
 
 
@@ -27,6 +27,7 @@ def register_extensions(app):
     bcrypt.init_app(app)
     cache.init_app(app)
     db.init_app(app)
+    csrf_protect.init_app(app)
     login_manager.init_app(app)
     debug_toolbar.init_app(app)
     migrate.init_app(app, db)

{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/extensions.py

@@ -3,11 +3,13 @@
 from flask_bcrypt import Bcrypt
 from flask_cache import Cache
 from flask_debugtoolbar import DebugToolbarExtension
+from flask_wtf.csrf import CsrfProtect
 from flask_login import LoginManager
 from flask_migrate import Migrate
 from flask_sqlalchemy import SQLAlchemy
 
 bcrypt = Bcrypt()
+csrf_protect = CsrfProtect()
 login_manager = LoginManager()
 db = SQLAlchemy()
 migrate = Migrate()

{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/templates/nav.html

@@ -35,7 +35,7 @@
       <li><a href="{{ url_for('public.register') }}">Create account</a></li>
     </ul>
     <form id="loginForm" method="POST" class="navbar-form form-inline navbar-right" action="/" role="login">
-      {{ form.hidden_tag() }}
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
       <div class="form-group">
         {{ form.username(placeholder="Username", class_="form-control") }}
         {{ form.password(placeholder="Password", class_="form-control") }}