From 816833bac01d747a4360a411691405f6e42ef8a1 Mon Sep 17 00:00:00 2001
From: Bui <bui@bui.pm>
Date: Tue, 17 Mar 2020 02:18:18 +0000
Subject: [PATCH] handle csrf error

---
 app.py                   | 8 ++++++--
 public/src/js/strings.js | 4 ++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/app.py b/app.py
index 22419b7..45d9a7b 100644
--- a/app.py
+++ b/app.py
@@ -14,7 +14,7 @@ from functools import wraps
 from flask import Flask, g, jsonify, render_template, request, abort, redirect, session, flash
 from flask_caching import Cache
 from flask_session import Session
-from flask_wtf.csrf import CSRFProtect, generate_csrf
+from flask_wtf.csrf import CSRFProtect, generate_csrf, CSRFError
 from ffmpy import FFmpeg
 from pymongo import MongoClient
 
@@ -23,7 +23,6 @@ client = MongoClient(host=config.MONGO['host'])
 
 app.secret_key = config.SECRET_KEY
 app.config['SESSION_TYPE'] = 'redis'
-app.config['SESSION_COOKIE_HTTPONLY'] = False
 app.cache = Cache(app, config=config.REDIS)
 sess = Session()
 sess.init_app(app)
@@ -86,6 +85,11 @@ def admin_required(level):
     return decorated_function
 
 
+@app.errorhandler(CSRFError)
+def handle_csrf_error(e):
+    return api_error('invalid_csrf')
+
+
 @app.before_request
 def before_request_func():
     if session.get('session_id'):
diff --git a/public/src/js/strings.js b/public/src/js/strings.js
index 8eae935..26a3d24 100644
--- a/public/src/js/strings.js
+++ b/public/src/js/strings.js
@@ -1048,6 +1048,10 @@ var translations = {
 		verify_password_invalid: {
 			ja: null,
 			en: "Verification password does not match",
+		},
+		invalid_csrf: {
+			ja: null,
+			en: "Security token expired. Please refresh the page."
 		}
 	},
 	browserSupport: {