Stateless implementation of Cross-Site Request Forgery (XSRF) Protection by using Double Submit Cookie mitigation pattern
Project description
FastAPI CSRF Protect
Features
FastAPI extension that provides stateless Cross-Site Request Forgery (XSRF) Protection support.
Aimed to be easy to use and lightweight, we adopt Double Submit Cookie mitigation pattern.
If you were familiar with flask-wtf library this extension suitable for you.
This extension inspired by fastapi-jwt-auth 😀
- Storing
fastapi-csrf-tokenin cookies or serve it in template's context
Installation
The easiest way to start working with this extension with pip
pip install fastapi-csrf-protect
# or
poetry add fastapi-csrf-protect
Getting Started
The following examples show you how to integrate this extension to a FastAPI App
Example Login Form
from fastapi import FastAPI, Request, Depends
from fastapi.responses import JSONResponse
from fastapi.templating import Jinja2Templates
from fastapi_csrf_protect import CsrfProtect
from fastapi_csrf_protect.exceptions import CsrfProtectError
from pydantic import BaseModel
app = FastAPI()
templates = Jinja2Templates(directory="templates")
class CsrfSettings(BaseModel):
secret_key: str = "asecrettoeverybody"
cookie_samesite: str = "none"
@CsrfProtect.load_config
def get_csrf_config():
return CsrfSettings()
@app.get("/login")
def form(request: Request, csrf_protect: CsrfProtect = Depends()):
"""
Returns form template.
"""
csrf_token, signed_token = csrf_protect.generate_csrf_tokens()
response = templates.TemplateResponse(
"form.html", {"request": request, "csrf_token": csrf_token}
)
csrf_protect.set_csrf_cookie(signed_token, response)
return response
@app.post("/login", response_class=JSONResponse)
async def create_post(request: Request, csrf_protect: CsrfProtect = Depends()):
"""
Creates a new Post
"""
await csrf_protect.validate_csrf(request)
response: JSONResponse = JSONResponse(status_code=200, content={"detail": "OK"})
csrf_protect.unset_csrf_cookie(response) # prevent token reuse
return response
@app.exception_handler(CsrfProtectError)
def csrf_protect_exception_handler(request: Request, exc: CsrfProtectError):
return JSONResponse(status_code=exc.status_code, content={"detail": exc.message})
Contributions
To contribute to the project, fork the repository and clone to your local device and install preferred testing dependency pytest Alternatively, run the following command on your terminal to do so:
pip install -U poetry
poetry install
Testing can be done by the following command post-installation:
poetry install --with test
pytest
Changelog
🚧 Breaking Changes (0.3.0 -> 0.3.1) The double submit update
- The
generate_csrfmethod has now been marked for deprecation - The recommended method is now
generate_csrf_tokenswhich returns a tuple of tokens, first unsigned and the latter signed - Recommended pattern is for the first token is aimed for returning as part of context
- Recommended pattern is for the signed token to be set in client's cookie completing Double Submit Cookie
- To prevent token reuse, protected endpoint can unset the signed CSRF Token in client's cookies as per example code and recommended pattern.
🚧 Breaking Changes (0.3.1 -> 0.3.2) The anti-JavaScript update
- New keys are added at setup
token_location(eitherbodyorheader) andtoken_keyis key where form-encoded keeps the csrf token stored, cross-checked with csrf secret in cookies. - Asynchronous
validate_csrfmethod now needs to be awaited therefore protected endpoints need to be asynchronous as well.
Error in version 0.3.5 after updating to Pydantic V2
- Made a blunder when updating from Pydantic V1 to Pydantic V2 and caused an error to occur when
setting
cookie_samesitein settings - Fixed in version
0.3.6
Run Examples
To run the provided examples, first you must install extra dependencies uvicorn and jinja2 Alternatively, run the following command on your terminal to do so
poetry install --with examples
Running the example utilizing form submission
uvicorn examples.body:app
Running the example utilizing headers via JavaScript
uvicorn examples.header:app
License
This project is licensed under the terms of the MIT license.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file fastapi_csrf_protect-0.3.6.tar.gz.
File metadata
- Download URL: fastapi_csrf_protect-0.3.6.tar.gz
- Upload date:
- Size: 182.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.4.16
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | fb9a6e304f5fe42ba4f2c0e4967bd21a2693c4aa89d95cf6f04b2af0287cdb01 |
|
| MD5 | 1dde4cc40c9127864cad404164514a1d |
|
| BLAKE2b-256 | 06cf5834bba5795422f266aa76f57a98b43ce5bad8f1d80f85eba368218c5ade |
File details
Details for the file fastapi_csrf_protect-0.3.6-py3-none-any.whl.
File metadata
- Download URL: fastapi_csrf_protect-0.3.6-py3-none-any.whl
- Upload date:
- Size: 10.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.4.16
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a0de413d939a7192a210d8d1729468e14e6519d97e202e2cd5614e4a48ff9f25 |
|
| MD5 | 8169504712b6b798b2a919aa73b525dc |
|
| BLAKE2b-256 | b42c3ed42cecbcdaa97aabea43f8a3853b245fc10b412b74a962d1842f56167a |
