Open urapadmin opened 3 years ago
csrf tokens are used in forms and js ajax calls. According to flask-csrf the expiration time is 60 minutes. There is something about returning different errors depending on whether the token is invalid or just expired: https://flask-wtf.readthedocs.io/en/stable/api.html#flask_wtf.csrf.validate_csrf
In flask_wtf/form the time limit is explicitly set to 3600 seconds, which is indeed an hour:
@cached_property
def csrf_time_limit(self):
return current_app.config.get('WTF_CSRF_TIME_LIMIT', 3600)
Seems, that can be changed in the flask config using WTF_CSRF_TIME_LIMIT
after not doing anything in the file repository for more than an hour and then navigating to the workstation manager, this is what happens on 0.8.22 (after I had attended to #877) :
[22852/23888: kioskuser.ERROR at 2021-01-11 20:28:46,156]: KioskUser.load_user: User lkh cannot be loaded because of missing token. [22852/23888: init.ERROR at 2021-01-11 20:28:46,156]: Exception in @LoginManager user loader Exception('kiosk user not found or an exception occurred. Please consult the logs') [22852/23888: authorization.ERROR at 2021-01-11 20:28:46,156]: authorization.@full_login_required: AttributeError("'bool' object has no attribute 'is_authenticated'") [22852/22576: kioskuser.ERROR at 2021-01-11 20:28:46,169]: KioskUser.load_user: User lkh cannot be loaded because of missing token. [22852/22576: init.ERROR at 2021-01-11 20:28:46,169]: Exception in @LoginManager user loader Exception('kiosk user not found or an exception occurred. Please consult the logs') [22852/22576: urlforjavascript.DEBUG at 2021-01-11 20:28:46,169]: trying directorsview.static [22852/12092: kioskuser.ERROR at 2021-01-11 20:28:46,240]: KioskUser.load_user: User lkh cannot be loaded because of missing token. [22852/12092: init.ERROR at 2021-01-11 20:28:46,240]: Exception in @LoginManager user loader Exception('kiosk user not found or an exception occurred. Please consult the logs') [22852/10280: kioskuser.ERROR at 2021-01-11 20:28:46,240]: KioskUser.load_user: User lkh cannot be loaded because of missing token. [22852/10280: init.ERROR at 2021-01-11 20:28:46,240]: Exception in @LoginManager user loader Exception('kiosk user not found or an exception occurred. Please consult the logs')
So it seems that it is indeed the new api token that expires and leads to the logout. Now that the login page is properly shown, I don't find it as annoying anymore.
What I still don't understand is why "bool" object has not attribute ...
the api token expires either in 2 hours or in as many seconds as set in kiosk\security_token_timeout_seconds in the kiosk config.
currently this is at least covered by a proper reaction on most fronts. I want to postpone it and look at the current behavior a bit more.
It is still really not perfect but should suffice in normal scenarios. So postponed to after v1
see also #1157
I should invest some time to actually understand CSRF. I am not even sure what it does. Is it just another Token? Form my work on using the kioskfilemakerworkstation.upload as an api I learned that I can generate a new csrf token and set it as the header and it seems to work. So does it simply expire at some point?
they even depend on each other sometimes.