Preserve CSRF errors in all cases (refs #29)

vimalloc · vimalloc · commit 005fca57b18d · 2017-02-02T09:39:17.000-07:00
diff --git a/flask_jwt_extended/exceptions.py b/flask_jwt_extended/exceptions.py
@@ -28,7 +28,14 @@ class InvalidHeaderError(JWTExtendedException):
 
 class NoAuthorizationError(JWTExtendedException):
     """
-    An error getting header information from a request
+    An error raised when no authorization token was found in a protected endpoint
+    """
+    pass
+
+
+class CSRFError(JWTExtendedException):
+    """
+    An error with CSRF protection
     """
     pass
 
diff --git a/flask_jwt_extended/jwt_manager.py b/flask_jwt_extended/jwt_manager.py
@@ -1,7 +1,8 @@
 from flask import jsonify
 
 from flask_jwt_extended.exceptions import JWTDecodeError, NoAuthorizationError, \
-    InvalidHeaderError, WrongTokenError, RevokedTokenError, FreshTokenRequired
+    InvalidHeaderError, WrongTokenError, RevokedTokenError, FreshTokenRequired, \
+    CSRFError
 from jwt import ExpiredSignatureError, InvalidTokenError
 
 
@@ -61,6 +62,10 @@ def init_app(self, app):
         def handle_auth_error(e):
             return self._unauthorized_callback(str(e))
 
+        @app.errorhandler(CSRFError)
+        def handle_auth_error(e):
+            return self._unauthorized_callback(str(e))
+
         @app.errorhandler(ExpiredSignatureError)
         def handle_expired_error(e):
             return self._expired_token_callback()
diff --git a/flask_jwt_extended/utils.py b/flask_jwt_extended/utils.py
@@ -21,7 +21,7 @@
     get_csrf_header_name, get_jwt_header_name
 from flask_jwt_extended.exceptions import JWTEncodeError, JWTDecodeError, \
     InvalidHeaderError, NoAuthorizationError, WrongTokenError, \
-    FreshTokenRequired
+    FreshTokenRequired, CSRFError
 from flask_jwt_extended.blacklist import check_if_token_revoked, store_token
 
 
@@ -206,9 +206,9 @@ def _decode_jwt_from_cookies(type):
         if not isinstance(csrf_token_from_cookie, six.string_types):
             raise JWTDecodeError("Invalid claim: 'csrf' (must be a string)")
         if csrf_token_from_header is None:
-            raise NoAuthorizationError("Missing CSRF token in headers")
+            raise CSRFError("Missing CSRF token in headers")
         if not safe_str_cmp(csrf_token_from_header,  csrf_token_from_cookie):
-            raise NoAuthorizationError("CSRF double submit tokens do not match")
+            raise CSRFError("CSRF double submit tokens do not match")
     return token
 
 
