fix sign in and sign up was broken

Author: mozillazg

firefly/app.py

@@ -5,6 +5,7 @@
 from flask import Flask, g, request, send_from_directory
 from flask_security import MongoEngineUserDatastore
 from flask_social_blueprint.core import SocialBlueprint
+from flask_wtf.csrf import CsrfProtect
 
 from firefly import config as _config
 from firefly.ext import (
@@ -34,6 +35,7 @@ def create_app(config):
     db.init_app(app)
     mail.init_app(app)
     redis_store.init_app(app)
+    CsrfProtect(app)
 
     register_auth(app)
     register_hooks(app)

firefly/templates/base.html

@@ -8,7 +8,7 @@
   <meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0, user-scalable=yes"/>
   {% block title %}
   {% endblock %}
-  <link rel="icon" type="image/png" href="${url_for('static', filename='icon.png')}"/>
+  <link rel="icon" type="image/png" href="{{url_for('static', filename='icon.png')}}"/>
   <link href="{{url_for('static', filename='stylesheets/hljs.css')}}" rel="stylesheet"/>
   <link href="{{url_for('static', filename='stylesheets/themes/zenburn.css')}}" rel="stylesheet"/>
   <script src="{{url_for('static', filename='javascripts/libs/require.min.js')}}"></script>
@@ -50,7 +50,7 @@
                         <div class="panel">
                         {% if current_user.is_authenticated() %}
                             Hi {{current_user.username if current_user.username else current_user.cn}}
-                            <a title="退出" class="btn-primary btn-small btn sign-out-button" href="${url_for('security.logout')}">
+                            <a title="退出" class="btn-primary btn-small btn sign-out-button" href="{{url_for('security.logout')}}">
                             </a>
                         {% else %}
                             <button title="注册" class="btn-primary btn-small btn sign-up-button">注册</button>

firefly/templates/login.html

@@ -7,7 +7,7 @@
         <h3>登录</h3>
         <div class="clearfix"></div>
     </div>
-    <form id="signinform" class="login-form" role="form" method="post" action="${url_for('home.login')}">
+    <form id="signinform" class="login-form" role="form" method="post" action="{{url_for('home.login')}}">
         <div class="form-group">
             <label class="control-label" for="">第三方登录</label>
             <div class="thirdparty-login-btns">
@@ -29,14 +29,15 @@ <h3>登录</h3>
             </div>
         </div>
         <div class="form-group">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
             <label class="control-label" for="inputEmail">邮箱</label>
-            <input id="inputEmail" class="form-control" name="" type="text" value="" type="email" required="" tabindex="1" name="email"/>
+            <input id="inputEmail" class="form-control" type="text" value="" type="email" required="" tabindex="1" name="email"/>
         </div>
         <div class="form-group">
             <label class="control-label" for="inputPassword">
                 密码（<a tabindex="4" href="/forgotpass">忘记密码</a>）
             </label>
-            <input id="inputPassword" class="form-control" name="" type="text" value="" type="password" required="" tabindex="2" name="password" />
+            <input id="inputPassword" class="form-control" type="text" value="" type="password" required="" tabindex="2" name="password" />
         </div>
         <div class="form-group">
             <button id="loginBtn" class="login-btn btn-default" tabindex="3" type="submit">
@@ -58,7 +59,7 @@ <h3>注册</h3>
         </div>
     </div>
 
-    <form id="signupform" class="login-form" role="form" method="post" action="${url_for('home.register')}">
+    <form id="signupform" class="login-form" role="form" method="post" action="{{url_for('home.register')}}">
         <div class="form-group">
             <label class="control-label" for="">
                 第三方注册
@@ -83,21 +84,22 @@ <h3>注册</h3>
         </div>
 
         <div class="form-group">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
             <label class="control-label" for="inputUsername">
                 用户名
             </label>
             <b class="has-required" data-title="必填">Required</b>
-            <input id="inputUsername" class="form-control" name="" type="text" value="" type="text" name="username" tabindex="1"/>
+            <input id="inputUsername" class="form-control" type="text" value="" type="text" name="username" tabindex="1"/>
         </div>
         <div class="form-group">
             <label class="control-label" for="inputEmail">邮箱</label>
             <b class="has-required" data-title="必填">Required</b>
-            <input id="inputEmail" class="form-control" name="" type="text" value="" type="email" name="email" tabindex="2"/>
+            <input id="inputEmail" class="form-control" type="text" value="" type="email" name="email" tabindex="2"/>
         </div>
         <div class="form-group">
             <label class="control-label" for="inputPassword">密码</label>
             <b class="has-required" data-title="必填，至少 8 位，同时包含数字、小写字母、大写字母">Required</b>
-            <input id="inputPassword" class="form-control" name="" type="text" value="" type="password" name="password" tabindex="3" />
+            <input id="inputPassword" class="form-control" type="text" value="" type="password" name="password" tabindex="3" />
         </div>
         <div class="form-group">
             <button id="signupBtn" class="signup-btn btn btn-default" type="submit" tabindex="4" disabled="disabled" >注册</button>

firefly/views/home.py

@@ -68,8 +68,7 @@ def get(self):
         return redirect(url_for('home.index'))
 
     def post(self):
-        # TODO 解决在首页登录框中无法获取 csrf_token 的问题
-        form = LoginForm(csrf_enabled=False)
+        form = LoginForm()
         if form.validate_on_submit():
             login_user(form.user)
         return redirect(url_for('home.index'))
@@ -81,7 +80,7 @@ def get(self):
         return redirect(url_for('home.index'))
 
     def post(self):
-        form = RegisterForm(csrf_enabled=False)
+        form = RegisterForm()
         if form.validate_on_submit():
             user = form.save()
             login_user(user)