Getting ready for 5.4.3

Add a CSRF test showing @unauth_csrf no longer falls through.

CHANGES.rst

@@ -6,7 +6,7 @@ Here you can see the full list of changes between each Flask-Security release.
 Version 5.4.3
 -------------
 
-Released xxx
+Released March xx, 2024
 
 Fixes
 +++++

flask_security/__init__.py

@@ -136,4 +136,4 @@
 )
 from .webauthn_util import WebauthnUtil
 
-__version__ = "5.4.2"
+__version__ = "5.4.3"

tests/test_csrf.py

@@ -658,3 +658,18 @@ def custom():
         },
     )
     assert b"CSRF" not in response.data
+
+
+@pytest.mark.csrf(csrfprotect=True)
+def test_csrf_json_protect(app, client):
+    # test sending CSRF token in json body for an unauth endpoint (/login)
+    # In older code the @unauth_csrf() decorator would 'fall through' - if the
+    # decorator CSRF checked failed it would fall through to the form CSRF check.
+    # The decorator CSRF check returns a 400 JSON response.
+    csrf_token = _get_csrf_token(client)
+    response = client.post(
+        "/login",
+        json=dict(email="[email protected]", password="password", csrf_token=csrf_token),
+    )
+    assert response.status_code == 400
+    assert response.json["response"]["errors"][0] == "The CSRF token is missing."

tox.ini

@@ -153,7 +153,7 @@ deps =
     jinja2
 skip_install = true
 commands =
-    pybabel extract --version 5.4.2 --keyword=_fsdomain --project=Flask-Security \
+    pybabel extract --version 5.4.3 --keyword=_fsdomain --project=Flask-Security \
         -o flask_security/translations/flask_security.pot \
         --msgid-bugs-address[email protected] --mapping-file=babel.ini \
         --add-comments=NOTE flask_security