Closed e-goto closed 2 months ago
This message is from tf_invalid_state() method - called from various two-factor views when something is not consistent with the users two-factor setup. Many of calls are due to information missing from the session cookie - so that would be a good place to start - grab the cookie from the request and decode it (or set a breakpoint in two_factor_token_validation.
I figured out that it was because I call the /login
endpoint to get a CSRF token before making the call to /2f-validate
which would overwrite the session cookie with the tf information. I changed my login code to set the CSRF cookie to the csrf token that is returned after login and changed the POST request to /2f-validate
to use the CSRF cookie I just set and the request was successful.
@jwag956 I thought about this a little, but wouldn't it make sense for flask security to set the CSRF cookie on a successful login that requires 2FA validation? Right now I have to manually set it
Yes - this is very odd - when I get a chance I'll write some tests and look into it. Probably an bug/oversight from long ago. Thanks for all your debugging and insight.
Ok - finally digging into this. Yes - in 5.4.3 I added cleaning our any partial login information (like 2fa) on a GET. In my testing I noticed that this partial 2FA info could remain in the session after aborted attempts to log in. So that explains that.
I am working on a PR that will set the cookie on GET of /login (as well as when it is set now). This will allow JS/SPA code to always use the cookie to set the header.
Thank you
This happens on version 5.4.3, but does not happen on 5.3.3. I'll try to narrow down the scope and create test cases.