don't look for csrf token in form if already found in header (#119)

piccolo-orm · Dec 13, 2021 · cfd92ec · cfd92ec
1 parent 86731db
commit cfd92ec
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/piccolo_api/csrf/middleware.py b/piccolo_api/csrf/middleware.py
@@ -129,12 +129,13 @@ async def dispatch(
             if not cookie_token:
                 return Response("No CSRF cookie found", status_code=403)
 
-            if self.allow_header_param:
-                header_token = request.headers.get(self.header_name, None)
-            else:
-                header_token = None
+            header_token = (
+                request.headers.get(self.header_name)
+                if self.allow_header_param
+                else None
+            )
 
-            if self.allow_form_param:
+            if self.allow_form_param and not header_token:
                 form_data = await request.form()
                 form_token = form_data.get(self.cookie_name, None)
                 request.scope.update({"form": form_data})