Use new CSRF cookie validation on login view (refs #5617)

src/authentic2/auth_frontends.py

@@ -34,6 +34,7 @@ class LoginPasswordBackend(object):
         seconds_to_wait = exponential_backoff.seconds_to_wait(request)
         reset = True
         if is_post and not seconds_to_wait:
+            utils.csrf_token_check(request, form)
             reset = False
             if form.is_valid():
                 if is_secure:

src/authentic2/views.py

@@ -26,7 +26,7 @@ from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.http import (HttpResponseRedirect, HttpResponseForbidden,
     HttpResponse)
 from django.core.exceptions import PermissionDenied
-from django.views.decorators.csrf import csrf_protect
+from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
 from django.views.decorators.cache import never_cache
 from django.contrib.auth.decorators import login_required
 from django.db.models.fields import FieldDoesNotExist
@@ -180,7 +180,8 @@ email_change_verify = EmailChangeVerifyView.as_view()
 
 logger = logging.getLogger('authentic2.idp.views')
 
-@csrf_protect
+@csrf_exempt
+@ensure_csrf_cookie
 @never_cache
 def login(request, template_name='authentic2/login.html',
           redirect_field_name=REDIRECT_FIELD_NAME):