oauth2server_csrf.py

########

# in invenio_app/csrf.py

class CSRF(object):

    def init_app(self, app):

        @app.before_request
        def csrf_protect():

            for func in self._before_request_funcs:
                func()

            ...

    def before_request(self, func):
        self._before_request_funcs.append(func)


csrf = CSRF()

#########

# in invenio_oauth2server/ext.py

class InvenioOAuth2ServerREST(object):


    def init_app(self, app, **kwargs):
        """Flask application initialization.
        :param app: An instance of :class:`flask.Flask`.
        """
        self.init_config(app)

        try:
            from invenio_app.csrf import csrf
            csrf.before_request(verify_oauth_token_and_set_current_user)
            @oauth.after_request
            def csrf_exempt_oauth(valid, oauth):
                # TODO: check if needed only for "valid"
                if valid:
                    request.csrf_exempt = True

        except ImportError:
            pass


        app.before_request(verify_oauth_token_and_set_current_user)

def verify_oauth_token_and_set_current_user():

    # to make sure we run only once
    if getattr(request, 'oauth_verify_has_run') and request.oauth_verify_has_run:
        return

    # ... rest of the logic
    ...

    request.oauth_verify_has_run = True