From 8577dc7fd62164f55f31d4f13352e2464ae359df Mon Sep 17 00:00:00 2001
From: "Guilherme M. Trein" <guitrein@yahoo.com.br>
Date: Fri, 4 Mar 2016 20:50:59 -0500
Subject: [PATCH] Enable CSRF protection

- CSRF is enabled by default for login form
- This commit resolves issue #34
---
 {{cookiecutter.app_name}}/{{cookiecutter.app_name}}/app.py     | 3 ++-
 .../{{cookiecutter.app_name}}/extensions.py                    | 2 ++
 .../{{cookiecutter.app_name}}/templates/nav.html               | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/app.py b/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/app.py
index 62c54ff..6ab624f 100644
--- a/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/app.py
+++ b/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/app.py
@@ -4,7 +4,7 @@ from flask import Flask, render_template
 
 from {{cookiecutter.app_name}} import public, user
 from {{cookiecutter.app_name}}.assets import assets
-from {{cookiecutter.app_name}}.extensions import bcrypt, cache, db, debug_toolbar, login_manager, migrate
+from {{cookiecutter.app_name}}.extensions import bcrypt, cache, db, debug_toolbar, csrf_protect, login_manager, migrate
 from {{cookiecutter.app_name}}.settings import ProdConfig
 
 
@@ -27,6 +27,7 @@ def register_extensions(app):
     bcrypt.init_app(app)
     cache.init_app(app)
     db.init_app(app)
+    csrf_protect.init_app(app)
     login_manager.init_app(app)
     debug_toolbar.init_app(app)
     migrate.init_app(app, db)
diff --git a/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/extensions.py b/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/extensions.py
index de72e89..0eec573 100644
--- a/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/extensions.py
+++ b/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/extensions.py
@@ -3,11 +3,13 @@
 from flask_bcrypt import Bcrypt
 from flask_cache import Cache
 from flask_debugtoolbar import DebugToolbarExtension
+from flask_wtf.csrf import CsrfProtect
 from flask_login import LoginManager
 from flask_migrate import Migrate
 from flask_sqlalchemy import SQLAlchemy
 
 bcrypt = Bcrypt()
+csrf_protect = CsrfProtect()
 login_manager = LoginManager()
 db = SQLAlchemy()
 migrate = Migrate()
diff --git a/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/templates/nav.html b/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/templates/nav.html
index 57ed624..faeec2d 100644
--- a/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/templates/nav.html
+++ b/{{cookiecutter.app_name}}/{{cookiecutter.app_name}}/templates/nav.html
@@ -35,7 +35,7 @@
       <li><a href="{{ url_for('public.register') }}">Create account</a></li>
     </ul>
     <form id="loginForm" method="POST" class="navbar-form form-inline navbar-right" action="/" role="login">
-      {{ form.hidden_tag() }}
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
       <div class="form-group">
         {{ form.username(placeholder="Username", class_="form-control") }}
         {{ form.password(placeholder="Password", class_="form-control") }}