From 593761c7669faf54043b88778d28d51e9f86d9dd Mon Sep 17 00:00:00 2001
From: Jeff Zohrab <jzohrab@gmail.com>
Date: Sun, 25 Aug 2024 18:42:13 -0700
Subject: [PATCH] Disable CSRF check.

CSRF is vital for financial apps, as it prevents bad sites from
trying to send anonymous requests to them, but Lute is just a local
thing running on a port.  Zero security risk, IMO.
---
 lute/app_factory.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lute/app_factory.py b/lute/app_factory.py
index 5ea74b77e..3bf1b143d 100644
--- a/lute/app_factory.py
+++ b/lute/app_factory.py
@@ -303,6 +303,11 @@ def _create_app(app_config, extra_config):
         # ref https://flask-sqlalchemy.palletsprojects.com/en/2.x/config/
         # Don't track mods.
         "SQLALCHEMY_TRACK_MODIFICATIONS": False,
+        # Disable CSRF -- this is a local app, and it's highly
+        # unlikely that a malicious site will try to hack anyone's Lute data.
+        # ref https://stackoverflow.com/questions/5207160/
+        #   what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work
+        "WTF_CSRF_ENABLED": False,
     }
 
     final_config = {**config, **extra_config}