Closed e-goto closed 2 months ago
jwag956
commented
3 months ago This message is from tf_invalid_state() method - called from various two-factor views when something is not consistent with the users two-factor setup. Many of calls are due to information missing from the session cookie - so that would be a good place to start - grab the cookie from the request and decode it (or set a breakpoint in two_factor_token_validation.
e-goto
commented
2 months ago I figured out that it was because I call the /login endpoint to get a CSRF token before making the call to /2f-validate which would overwrite the session cookie with the tf information. I changed my login code to set the CSRF cookie to the csrf token that is returned after login and changed the POST request to /2f-validate to use the CSRF cookie I just set and the request was successful.
lilz-egoto
commented
2 months ago @jwag956 I thought about this a little, but wouldn't it make sense for flask security to set the CSRF cookie on a successful login that requires 2FA validation? Right now I have to manually set it
jwag956
commented
2 months ago Yes - this is very odd - when I get a chance I'll write some tests and look into it. Probably an bug/oversight from long ago. Thanks for all your debugging and insight.
jwag956
commented
2 months ago Ok - finally digging into this. Yes - in 5.4.3 I added cleaning our any partial login information (like 2fa) on a GET. In my testing I noticed that this partial 2FA info could remain in the session after aborted attempts to log in. So that explains that.
I am working on a PR that will set the cookie on GET of /login (as well as when it is set now). This will allow JS/SPA code to always use the cookie to set the header.
lilz-egoto
commented
1 month ago Thank you
This happens on version 5.4.3, but does not happen on 5.3.3. I'll try to narrow down the scope and create test cases.