Disable csrf_token for post requests

I would like to make post requests to my app from a web form. However I get a code 400. I am able to get it to work after postman first logs in.

Is there a way to allow all post requests at an app level or just elimitate crsf tokens for a while till I figure a workaround.

I beleive everything is in auth.py.

self.validate_csrf_token()

	# write out latest cookies
	frappe.local.cookie_manager.init_cookies()

	# check status
	check_session_stopped()

def validate_csrf_token(self):
	if frappe.local.request and frappe.local.request.method=="POST":
		if not frappe.local.session: return
		if not frappe.local.session.data.csrf_token \
			or frappe.local.session.data.device=="mobile" \
			or frappe.conf.get('ignore_csrf', None):
			# not via boot
			return

		csrf_token = frappe.get_request_header("X-frappe-CSRF-Token")
		if not csrf_token and "csrf_token" in frappe.local.form_dict:
			csrf_token = frappe.local.form_dict.csrf_token
			del frappe.local.form_dict["csrf_token"]

		if frappe.local.session.data.csrf_token != csrf_token:
			frappe.local.flags.disable_traceback = True
			frappe.throw(_("Invalid Request"), frappe.CSRFTokenError)
1 Like