flask-wtforms如何获取csrf_token的值

Question

使用flask-wtforms如何在后端获取到csrf_token的值

Answer 1

这取决于你的 token 存放位置.

示例1. 放在表单中

<form method="post">
    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
</form>

那么后端用 request.form['csrf_token'] 可获取.

示例2. 放在 Ajax Header 中

<script type="text/javascript">
    var csrf_token = "{{ csrf_token() }}";

    $.ajaxSetup({
        beforeSend: function(xhr, settings) {
            if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
                xhr.setRequestHeader("X-CSRFToken", csrf_token);
            }
        }
    });
</script>

那么后端可用 request.headers['X-CSRFToken'].

---

或者参考 flask CSRF 的源代码实现
https://github.com/lepture/fl...

    def _get_csrf_token(self):
        # find the token in the form data
        field_name = current_app.config['WTF_CSRF_FIELD_NAME']
        base_token = request.form.get(field_name)

        if base_token:
            return base_token

        # if the form has a prefix, the name will be {prefix}-csrf_token
        for key in request.form:
            if key.endswith(field_name):
                csrf_token = request.form[key]

                if csrf_token:
                    return csrf_token

        # find the token in the headers
        for header_name in current_app.config['WTF_CSRF_HEADERS']:
            csrf_token = request.headers.get(header_name)

            if csrf_token:
                return csrf_token

        return None