Merge pull request #391 from dod-ccpo/csrf-error

Redirect to login page when CSRF error occurs

atst/routes/errors.py

@@ -1,4 +1,5 @@
-from flask import render_template, current_app
+from flask import render_template, current_app, url_for, redirect, request
+from flask_wtf.csrf import CSRFError
 import werkzeug.exceptions as werkzeug_exceptions
 
 import atst.domain.exceptions as exceptions
@@ -23,6 +24,12 @@ def make_error_pages(app):
         log_error(e)
         return render_template("error.html", message="Log in Failed"), 401
 
+    @app.errorhandler(CSRFError)
+    # pylint: disable=unused-variable
+    def session_expired(e):
+        log_error(e)
+        return redirect(url_for("atst.root", sessionExpired=True, next=request.path))
+
     @app.errorhandler(Exception)
     # pylint: disable=unused-variable
     def exception(e):

templates/login.html

@@ -11,6 +11,12 @@
       <div class='col'>
 
         <div class='login-banner'>
+          {% if request.args.get("sessionExpired") %}
+            {{ Alert('Session Expired',
+                message='Your session expired due to inactivity. Please log in again to continue.',
+                level='error'
+            ) }}
+          {% endif %}
           <h1 class="login-banner__heading">Access the JEDI Cloud</h1>
 
           <img class="login-banner__logo" src="{{url_for('static', filename='img/ccpo-logo.svg')}}" alt="Cloud Computing Program Office Logo">

tests/routes/test_errors.py

@@ -0,0 +1,21 @@
+import pytest
+
+
+@pytest.fixture
+def csrf_enabled_app(app):
+    app.config.update({"WTF_CSRF_ENABLED": True})
+    yield app
+    app.config.update({"WTF_CSRF_ENABLED": False})
+
+
+def test_csrf_error(csrf_enabled_app, client):
+    response = client.post(
+        "/requests/new/1",
+        headers={"Content-Type": "application/x-www-form-urlencoded"},
+        data="csrf_token=invalid_token",
+        follow_redirects=True,
+    )
+
+    body = response.data.decode()
+    assert "Session Expired" in body
+    assert "Log in Required" in body