I'm using a combination of flask-jwt-extended for JWT authentication, and I've enabled CSRF protection, meaning for certain HTTP methods (PUT, POST, DELETE...), it is required that the value in the cookie and the HTTP header match.
This works fine for my API requests, where I just construct the HTTP request in JS with the header set correctly, but I want to use Flask-Admin, and allow access based on the JWT tokens. I did this by decorating the is_accessible function in Flask-Admin's ModelView with @jwt_optional and checking within it.
However, now when I try to perform any modifications through Flask-Admin, I get an error message from flask-jwt-extended, stating that I didn't properly include my CSRF tokens. This is true, as I'm using the default forms that come with Flask-Admin.
My question is, what is the best solution? Is it possible to disable CSRF protection only for certain paths? (And enable Flask-Admin's own CSRF protection for them?) Should I modify the views and insert JS that is triggered by the submit button but actually submits an XmlHTTPRequest? Should I implement the JWT authentication for Flask-Admin views in a different way?
