Sanic meets WTForms

pyx, updated 🕥 2022-01-22 14:33:58

=============================== Sanic-WTF - Sanic meets WTForms ===============================

Sanic-WTF makes using WTForms with Sanic_ and CSRF (Cross-Site Request Forgery) protection a little bit easier.

.. _WTForms: .. _Sanic:

Quick Start


.. code-block:: sh

pip install --upgrade Sanic-WTF

How to use it

Intialization (of Sanic) ^^^^^^^^^^^^^^^^^^^^^^^^

.. code-block:: python

from sanic import Sanic

app = Sanic(name)

# either WTF_CSRF_SECRET_KEY or SECRET_KEY should be set app.config['WTF_CSRF_SECRET_KEY'] = 'top secret!'

@app.middleware('request') async def add_session_to_request(request): # setup session

Defining Forms ^^^^^^^^^^^^^^

.. code-block:: python

from sanic_wtf import SanicForm from wtforms import PasswordField, StringField, SubmitField from wtforms.validators import DataRequired

class LoginForm(SanicForm): name = StringField('Name', validators=[DataRequired()]) password = PasswordField('Password', validators=[DataRequired()]) submit = SubmitField('Sign In')

That's it, just subclass SanicForm and later on passing in the current request object when you instantiate the form class. Sanic-WTF will do the trick.

Form Validation ^^^^^^^^^^^^^^^

.. code-block:: python

from sanic import response

@app.route('/', methods=['GET', 'POST']) async def index(request): form = LoginForm(request) if request.method == 'POST' and form.validate(): name = password = # check user password, log in user, etc. return response.redirect('/profile') # here, render_template is a function that render template with context return response.html(await render_template('index.html', form=form))

.. note:: For WTForms users: please note that SanicForm requires the whole request object instead of some sort of MultiDict.

For more details, please see documentation.


BSD New, see LICENSE for details.


  • Documentation <>_

  • Issue Tracker <>_

  • Source Package @ PyPI <>_

  • Git Repository @ Github <>_

  • Git Repository @ Gitlab <>_

  • Development Version <>_


csrf failed when run with workers

opened on 2019-07-26 17:02:30 by ohahlev

I try to run guestbook; and it is working fine until I set workers=4, because my machine is a 4-core monster; and nightmare starts to come.

  1. steps to reproduce

  2. git clone [email protected]:ohahlev/guestbook-sanic-wtf.git

  3. python
  4. try to submit data again and again

  5. expected results form can be always submitted without error

  6. what really happens Sometimes form is submitted successfully, and sometimes not. I print out form.errors, and see that, the error is "csrf failed"

Csrf Ajax

opened on 2019-01-02 11:48:38 by anthon-alindada

Hi there. Can someone tell me how to add csrf token on an ajax request i tried adding a "X-CSRF-TOKEN" header. But it still shows "CSRF token missing"

Async validators + Recaptcha

opened on 2018-12-24 03:08:02 by omarryhan


New features: - Support for async and sync validators - testing py37

The code I added isn't of best quality, especially the tests. This is only meant to be a prototype.

I think in order to merge this feature, we'd have to go 1 of the following paths:

  1. Break backward compatibility and make validate_on_submit a coroutine.
  2. Keep both validate_on_submit and validate_on_submit_async (maybe name it differently). However, if we do this, then the user shouldn't call validate_on_submit_async followed by validate_on_submit, because validate_on_submit_async will do lots of monkey patching (We can have some sort of flag though that explicitly enables this functionality).
  3. Make a new SanicForm class. Maybe call it SanicForm_ or sth
  4. Do nothing :smile:

Async validators?

opened on 2018-12-23 18:05:12 by omarryhan

Are there any plans for supporting them?

Support for submitting CSRF tokens in headers like Flask-WTF has

opened on 2017-10-26 10:16:11 by marijngiesen

Please add support for submitting CSRF tokens in headers like Flask-WTF. See here:

check referrer header

opened on 2017-05-08 21:32:49 by pyx

It's a good practice to check referrer header as well. Will add that if I have time.

sanic wtforms csrf-protection