aekasitt
diff --git a/‎README.md‎
Lines changed: 55 additions & 0 deletions b/‎README.md‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 2 additions & 2 deletions b/‎pyproject.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/fastapi_csrf_protect/__init__.py‎
Lines changed: 2 additions & 2 deletions b/‎src/fastapi_csrf_protect/__init__.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/fastapi_csrf_protect/core.py‎
Lines changed: 3 additions & 3 deletions b/‎src/fastapi_csrf_protect/core.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/fastapi_csrf_protect/csrf_config.py‎
Lines changed: 1 addition & 1 deletion b/‎src/fastapi_csrf_protect/csrf_config.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/fastapi_csrf_protect/exceptions.py‎
Lines changed: 1 addition & 1 deletion b/‎src/fastapi_csrf_protect/exceptions.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/fastapi_csrf_protect/flexible/__init__.py‎
Lines changed: 18 additions & 0 deletions b/‎src/fastapi_csrf_protect/flexible/__init__.py‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎src/fastapi_csrf_protect/flexible/core.py‎
Lines changed: 188 additions & 0 deletions b/‎src/fastapi_csrf_protect/flexible/core.py‎
Lines changed: 188 additions & 0 deletions
@@ -84,6 +84,56 @@ def csrf_protect_exception_handler(request: Request, exc: CsrfProtectError):
 
 ```
 
+### 📌 Flexible Mode (fastapi_csrf_protect.flexible)
+
+Some applications combine **Server-Side Rendering (SSR)** with **API endpoints** in the same project.
+For example:
+  - **SSR pages** rendered with Jinja2 templates that use HTML forms (CSRF token in **form body**)
+  - **AJAX / API calls** (e.g. DELETE, PUT, PATCH) that pass the CSRF token in the **HTTP header**
+
+The main fastapi-csrf-protect package is **opinionated** and expects the CSRF token in **one location only** (either header or body).
+For hybrid apps, this can be inconvenient.
+
+The **flexible sub-package** provides a drop-in replacement for CsrfProtect that **always accepts CSRF tokens from either the header or the form body**, with the following priority:
+  - **Header**: X-CSRFToken
+  - **Body**: token_key (form-data)
+
+### When to use flexible
+
+Use fastapi_csrf_protect.flexible if:
+  - You have both SSR pages and API endpoints in the same project.
+  - Some requests (like DELETE) cannot send a body but still require CSRF validation.
+  - You want to avoid maintaining two different CSRF configurations.
+
+If your app only uses **one** method to send CSRF tokens, stick to the **core package** for a stricter policy.
+
+### How to send the CSRF token in your client code
+
+#### HTML Form (SSR)
+
+```html
+<form method="post" action="/login">
+    <input type="hidden" name="token_key" value="{{ csrf_token }}">
+    <!-- other fields -->
+</form>
+```
+#### AJAX (JavaScript)
+
+```javascript
+fetch("/items/123", {
+    method: "DELETE",
+    headers: {
+        "X-CSRFToken": getCookie("csrftoken")
+    },
+    credentials: "include"
+});
+```
+
+> [!IMPORTANT]
+> - The flexible sub-package ignores the token_location setting — tokens from either header or body are always accepted.
+> - CSRF token validation still requires a matching CSRF cookie as in the base package.
+> - Priority is given to header over body when both are present.
+
 ## Contributions
 
 ### Prerequisites
@@ -210,6 +260,11 @@ pytest
 * Attempted to make `mypyc` compilation; Failed due to dependency injection pattern
 * Add `py.typed` to project
 
+### Version 1.0.4
+
+* Add submodule `flexible` where `CsrfProtect` does not pre-determine `token_key` & `token_location`
+* Test `fastapi_csrf_protect.flexible.CsrfProtect` with runtime variable `token_location`
+
 ### Run Examples
 
 To run the provided examples, first you must install extra dependencies [uvicorn](https://github.com/encode/uvicorn) and [jinja2](https://github.com/pallets/jinja/)
 
@@ -66,14 +66,14 @@ readme = 'README.md'
 name = 'fastapi-csrf-protect'
 repository = 'https://github.com/aekasitt/fastapi-csrf-protect'
 requires-python = '>=3.9'
-version = '1.0.3'
+version = '1.0.4'
 
 
 [tool.mypy]
 disallow_incomplete_defs = true
 disallow_untyped_calls = true
 disallow_untyped_defs = true
-exclude = [ 'examples', 'tests' ]
+exclude = [ 'examples' ]
 strict = true
 
 
 
@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 # Copyright (C) 2020-2025 All rights reserved.
 # FILENAME:    ~~/src/fastapi_csrf_protect/__init__.py
-# VERSION:     1.0.3
+# VERSION:     1.0.4
 # CREATED:     2020-11-25 14:35
 # AUTHOR:      Sitt Guruvanich <[email protected]>
 # DESCRIPTION: https://www.w3docs.com/snippets/python/what-is-init-py-for.html
@@ -21,4 +21,4 @@
 __all__: Tuple[str, ...] = ("CsrfProtect",)
 __name__ = "fastapi-csrf-protect"
 __package__ = "fastapi-csrf-protect"
-__version__ = "1.0.3"
+__version__ = "1.0.4"
@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 # Copyright (C) 2020-2025 All rights reserved.
 # FILENAME:    ~~/src/fastapi_csrf_protect/core.py
-# VERSION:     1.0.3
+# VERSION:     1.0.4
 # CREATED:     2020-11-25 14:35
 # AUTHOR:      Sitt Guruvanich <[email protected]>
 # DESCRIPTION:
@@ -172,9 +172,9 @@ async def validate_csrf(
     if self._token_location == "header":
       token = self.get_csrf_from_headers(request.headers)
     else:
-      if hasattr(request, "_json"):
+      if hasattr(request, "_json") and isinstance(request._json, dict):
         token = request._json.get(self._token_key, "")
-      elif hasattr(request, "_form") and request._form is not None:
+      elif hasattr(request, "_form") and isinstance(request._form, dict):
         form_data: Union[None, UploadFile, str] = request._form.get(self._token_key)
         if not form_data or isinstance(form_data, UploadFile):
           raise MissingTokenError("Form data must be of type string")
 
@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 # Copyright (C) 2020-2025 All rights reserved.
 # FILENAME:    ~~/src/fastapi_csrf_protect/csrf_config.py
-# VERSION:     1.0.3
+# VERSION:     1.0.4
 # CREATED:     2020-11-25 14:35
 # AUTHOR:      Sitt Guruvanich <[email protected]>
 # DESCRIPTION:
 
@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 # Copyright (C) 2020-2025 All rights reserved.
 # FILENAME:    ~~/src/fastapi_csrf_protect/exceptions.py
-# VERSION:     1.0.3
+# VERSION:     1.0.4
 # CREATED:     2020-11-25 14:35
 # AUTHOR:      Sitt Guruvanich <[email protected]>
 # DESCRIPTION:
 
@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+# Copyright (C) 2020-2025 All rights reserved.
+# FILENAME:    ~~/src/fastapi_csrf_protect/flexible/__init__.py
+# VERSION:     1.0.4
+# CREATED:     2025-08-11 16:02:06+02:00
+# AUTHOR:      Eliam Lotonga <[email protected]>
+# DESCRIPTION: https://www.w3docs.com/snippets/python/what-is-init-py-for.html
+#
+# HISTORY:
+# *************************************************************
+
+### Standard packages ###
+from typing import Tuple
+
+### Local modules ###
+from fastapi_csrf_protect.flexible.core import CsrfProtect
+
+__all__: Tuple[str, ...] = ("CsrfProtect",)
@@ -0,0 +1,188 @@
+#!/usr/bin/env python3
+# Copyright (C) 2020-2025 All rights reserved.
+# FILENAME:    ~~/src/fastapi_csrf_protect/flexible/core.py
+# VERSION:     1.0.4
+# CREATED:     2025-08-11 16:02:06+02:00
+# AUTHOR:      Eliam Lotonga <[email protected]>
+# DESCRIPTION: https://www.w3docs.com/snippets/python/what-is-init-py-for.html
+#
+# HISTORY:
+# *************************************************************
+
+### Standard packages ###
+from hashlib import sha1
+from os import urandom
+from re import match
+from typing import Dict, Tuple, Optional, Union
+
+### Third-party packages ###
+from itsdangerous import BadData, SignatureExpired, URLSafeTimedSerializer
+from pydantic import create_model
+from starlette.datastructures import Headers
+from starlette.requests import Request
+from starlette.responses import Response
+
+### Local modules ###
+from fastapi_csrf_protect.exceptions import (
+  MissingTokenError,
+  TokenValidationError,
+)
+from fastapi_csrf_protect.flexible.csrf_config import CsrfConfig
+
+
+class CsrfProtect(CsrfConfig):
+  """Flexible CSRF validation: accepts token from either header or form body.
+
+  Priority:
+    1. Header
+    2. Body
+  """
+
+  def generate_csrf_tokens(self, secret_key: Optional[str] = None) -> Tuple[str, str]:
+    """
+    Generate a CSRF token and a signed CSRF token using server's secret key to be stored in cookie.
+
+    ---
+    :param secret_key: (Optional) the secret key used when generating tokens for users
+    :type secret_key: (str | None) Defaults to None.
+    """
+    secret_key = secret_key or self._secret_key
+    if secret_key is None:
+      raise RuntimeError("A secret key is required to use CsrfProtect extension.")
+    serializer = URLSafeTimedSerializer(secret_key, salt="fastapi-csrf-token")
+    token = sha1(urandom(64)).hexdigest()
+    signed = serializer.dumps(token)
+    return token, signed
+
+  def get_csrf_from_body(self, data: bytes) -> str:
+    """
+    Get token from the request body
+
+    ---
+    :param data: attached request body containing cookie data with configured `token_key`
+    :type data: bytes
+    """
+    fields: Dict[str, Tuple[type, str]] = {self._token_key: (str, "csrf-token")}
+    Body = create_model("Body", **fields)
+    content: str = '{"' + data.decode("utf-8").replace("&", '","').replace("=", '":"') + '"}'
+    body = Body.model_validate_json(content)
+    token: str = body.model_dump()[self._token_key]
+    return token
+
+  def get_csrf_from_headers(self, headers: Headers) -> Union[None, str]:
+    """
+    Get token from the request headers
+
+    ---
+    :param headers: Headers containing header with configured `header_name`
+    :type headers: starlette.datastructures.Headers
+    """
+    header_name, header_type = self._header_name, self._header_type
+    header_parts = None
+    try:
+      header_parts = headers[header_name].split()
+    except KeyError:
+      return None
+    token: Union[None, str] = None
+    if not header_type:
+      # <HeaderName>: <Token>
+      if len(header_parts) != 1:
+        return token
+      token = header_parts[0]
+    else:
+      # <HeaderName>: <HeaderType> <Token>
+      if not match(r"{}\s".format(header_type), headers[header_name]) or len(header_parts) != 2:
+        return token
+      token = header_parts[1]
+    return token
+
+  def set_csrf_cookie(self, csrf_signed_token: str, response: Response) -> None:
+    """
+    Sets Csrf Protection token to the response cookies
+
+    ---
+    :param csrf_signed_token: signed CSRF token from `generate_csrf_token` method
+    :type csrf_signed_token: str
+    :param response: The FastAPI response object to sets the access cookies in.
+    :type response: fastapi.responses.Response
+    """
+    if not isinstance(response, Response):
+      raise TypeError("The response must be an object response FastAPI")
+    response.set_cookie(
+      self._cookie_key,
+      csrf_signed_token,
+      max_age=self._max_age,
+      path=self._cookie_path,
+      domain=self._cookie_domain,
+      secure=self._cookie_secure,
+      httponly=self._httponly,
+      samesite=self._cookie_samesite,
+    )
+
+  def unset_csrf_cookie(self, response: Response) -> None:
+    """
+    Remove Csrf Protection token from the response cookies
+
+    ---
+    :param response: The FastAPI response object to delete the access cookies in.
+    :type response: fastapi.responses.Response
+    """
+    if not isinstance(response, Response):
+      raise TypeError("The response must be an object response FastAPI")
+    response.delete_cookie(
+      self._cookie_key,
+      path=self._cookie_path,
+      domain=self._cookie_domain,
+      secure=self._cookie_secure,
+      httponly=self._httponly,
+      samesite=self._cookie_samesite,
+    )
+
+  async def validate_csrf(
+    self,
+    request: Request,
+    cookie_key: Optional[str] = None,
+    secret_key: Optional[str] = None,
+    time_limit: Optional[int] = None,
+  ) -> None:
+    """
+    Check if the given data is a valid CSRF token. This compares the given
+    signed token to the one stored in the session.
+
+    ---
+    :param request: incoming Request instance
+    :type request: fastapi.requests.Request
+    :param cookie_key: (Optional) field name for the CSRF token field stored in cookies
+        Default is set in CsrfConfig when `load_config` was called;
+    :type cookie_key: str
+    :param secret_key: (Optional) secret key used to decrypt the token
+        Default is set in CsrfConfig when `load_config` was called;
+    :type secret_key: str
+    :param time_limit: (Optional) Number of seconds that the token is valid.
+        Default is set in CsrfConfig when `load_config` was called;
+    :type time_limit: int
+    :raises TokenValidationError: Contains the reason that validation failed.
+    """
+    secret_key = secret_key or self._secret_key
+    if secret_key is None:
+      raise RuntimeError("A secret key is required to use CsrfProtect extension.")
+    cookie_key = cookie_key or self._cookie_key
+    signed_token = request.cookies.get(cookie_key)
+    if signed_token is None:
+      raise MissingTokenError(f"Missing Cookie: `{cookie_key}`.")
+    time_limit = time_limit or self._max_age
+    token: None | str = self.get_csrf_from_headers(request.headers)
+    if not token:
+      token = self.get_csrf_from_body(await request.body())
+    serializer = URLSafeTimedSerializer(secret_key, salt="fastapi-csrf-token")
+    try:
+      signature: str = serializer.loads(signed_token, max_age=time_limit)
+      if token != signature:
+        raise TokenValidationError("The CSRF signatures submitted do not match.")
+    except SignatureExpired:
+      raise TokenValidationError("The CSRF token has expired.")
+    except BadData:
+      raise TokenValidationError("The CSRF token is invalid.")
+
+
+__all__: Tuple[str, ...] = ("CsrfProtect",)