Fix CSRF error on JWT optional (#129)

Landon Gilbert-Bland · Landon Gilbert-Bland · commit 1a3ce7c6e1cd · 2018-03-06T14:13:48.000-07:00
diff --git a/flask_jwt_extended/view_decorators.py b/flask_jwt_extended/view_decorators.py
@@ -156,17 +156,17 @@ def _decode_jwt_from_cookies(request_type):
         cookie_key = config.refresh_cookie_name
         csrf_header_key = config.refresh_csrf_header_name
 
+    encoded_token = request.cookies.get(cookie_key)
+    if not encoded_token:
+        raise NoAuthorizationError('Missing cookie "{}"'.format(cookie_key))
+
     if config.csrf_protect and request.method in config.csrf_request_methods:
         csrf_value = request.headers.get(csrf_header_key, None)
         if not csrf_value:
             raise CSRFError("Missing CSRF token in headers")
     else:
         csrf_value = None
 
-    encoded_token = request.cookies.get(cookie_key)
-    if not encoded_token:
-        raise NoAuthorizationError('Missing cookie "{}"'.format(cookie_key))
-
     return decode_token(encoded_token, csrf_value=csrf_value)
 
 
diff --git a/tests/test_cookies.py b/tests/test_cookies.py
@@ -4,7 +4,7 @@
 from flask_jwt_extended import (
     jwt_required, JWTManager, jwt_refresh_token_required, create_access_token,
     create_refresh_token, set_access_cookies, set_refresh_cookies,
-    unset_jwt_cookies
+    unset_jwt_cookies, jwt_optional
 )
 
 def _get_cookie_from_response(response, cookie_name):
@@ -66,6 +66,11 @@ def refresh_protected():
     def post_refresh_protected():
         return jsonify(foo='bar')
 
+    @app.route('/optional_post_protected', methods=['POST'])
+    @jwt_optional
+    def optional_post_protected():
+        return jsonify(foo='bar')
+
     return app
 
 
@@ -391,3 +396,21 @@ def test_cookies_without_csrf(app):
     assert len(cookies) == 1
     refresh_cookie = _get_cookie_from_response(response, 'refresh_token_cookie')
     assert refresh_cookie is not None
+
+def test_jwt_optional_with_csrf_enabled(app):
+    test_client = app.test_client()
+
+    # User without a token should be able to reach the endpoint without
+    # getting a CSRF error
+    response = test_client.post('/optional_post_protected')
+    json_data = json.loads(response.get_data(as_text=True))
+    assert response.status_code == 200
+    assert json_data == {'foo': 'bar'}
+
+    # User with a token should still get a CSRF error if csrf not present
+    response = test_client.get('/access_token')
+    csrf_token = _get_cookie_from_response(response, 'csrf_access_token')['csrf_access_token']
+    response = test_client.post('/optional_post_protected')
+    json_data = json.loads(response.get_data(as_text=True))
+    assert response.status_code == 401
+    assert json_data == {'msg': 'Missing CSRF token in headers'}
