search

cryptoadvance / specter-desktop

A desktop GUI for Bitcoin Core optimised to work with hardware wallets
MIT License
793 stars 236 forks source link

Repeating "Session expired" (in development mode) #1595

Open Sjors opened 2 years ago

Sjors commented 2 years ago

On master @ a3b73f2d8bbea147148a0c57d7d5474471c2acd1. I keep getting "Session expired" messages, including when I try to import (more) keys from a Ledger. Refreshing the browser doesn't help. Seeing this in both Safari and Chrome on macOS.

Some log:

[2022-02-18 17:50:13,282] INFO in _internal: 127.0.0.1 - - [18/Feb/2022 17:50:13] "POST /hwi/api/ HTTP/1.1" 200 -
[2022-02-18 17:50:15,553] ERROR in controller: CSRF Exception: 400 Bad Request: The CSRF session token is missing.
[2022-02-18 17:50:15,554] ERROR in controller: Traceback (most recent call last):
  File "/Users/sjors/dev/specter-desktop/.env/lib/python3.8/site-packages/flask_wtf/csrf.py", line 256, in protect
    validate_csrf(self._get_csrf_token())
  File "/Users/sjors/dev/specter-desktop/.env/lib/python3.8/site-packages/flask_wtf/csrf.py", line 94, in validate_csrf
    raise ValidationError('The CSRF session token is missing.')
wtforms.validators.ValidationError: The CSRF session token is missing.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/sjors/dev/specter-desktop/.env/lib/python3.8/site-packages/flask/app.py", line 1948, in full_dispatch_request
    rv = self.preprocess_request()
  File "/Users/sjors/dev/specter-desktop/.env/lib/python3.8/site-packages/flask/app.py", line 2242, in preprocess_request
    rv = func()
  File "/Users/sjors/dev/specter-desktop/.env/lib/python3.8/site-packages/flask_wtf/csrf.py", line 224, in csrf_protect
    self.protect()
  File "/Users/sjors/dev/specter-desktop/.env/lib/python3.8/site-packages/flask_wtf/csrf.py", line 259, in protect
    self._error_response(e.args[0])
  File "/Users/sjors/dev/specter-desktop/.env/lib/python3.8/site-packages/flask_wtf/csrf.py", line 302, in _error_response
    raise CSRFError(reason)
flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.

[2022-02-18 17:50:15,555] ERROR in controller: '_AppCtxGlobals' object has no attribute 'start'
relativisticelectron commented 2 years ago

I get the same error (firefox on linux). Closing and opening the specter tap usually helps.... But It would be great to fix that.

It is probably related to https://github.com/cryptoadvance/specter-desktop/issues/1469

k9ert commented 2 years ago

This is probably due to some weird combination of

In @moneymanolis case, it was not only while using hwi but almost in any request. The "solution" is to delete all cookies on localhost:25441 or de-/activating a auth-scheme and/or explicitely logout/-in again.

Does this help? Assigned the bug label but probably won't fix it if the solution is as simple as this.

Sjors commented 2 years ago

I'm only seeing one cookie and deleting it doesn't help:

Schermafbeelding 2022-02-22 om 12 04 36

de-/activating a auth-scheme and/or explicitely logout/-in again

What do you mean by this? I'm running on localhost without any authentication.

moneymanolis commented 2 years ago

Quick fix seems to be to login (enable authentication under http://127.0.0.1:25441/spc/settings/auth for that). @Sjors @relativisticelectron

Sjors commented 2 years ago

That worked!

k9ert commented 2 years ago

I'm still a bit puzzled that cookie deletion didn't work but regarding that this is a one-time issue with a workaround on Development only, i'll close this issue.

Sjors commented 2 years ago

Ok, I'll let you know if I ever run into this in production mode (haven't tried yet).

k9ert commented 2 years ago

I'm now able to reproduce this. I also now how it happens but not exactly why. If the fetch-API is calling hwi-endpoints, those are post-requests and the endpoint sets a new cookie with a csrf-token in the session. Those are cookies which have the scope /spc but they lack the csrf-token. When this token is sent with the post-request which is creating the device, the The CSRF session token is missing indeed.

If authentication is activated, the hwi-endpoints for some reason no longer send any cookies and so the csrf-token in the first cookie is preserved and the issue doesn't happen.

As this persists if you switch back to "non-auth", this is a bug. Reopening. Helpfull was this: https://github.com/noraj/flask-session-cookie-manager