jirikuncar
commented
7 years ago The default form validation stopped working: https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/utils.py#L117
Closed egabancho closed 6 years ago
jirikuncar
commented
7 years ago The default form validation stopped working: https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/utils.py#L117
jirikuncar
commented
7 years ago It looks like Flask-WTF>=0.14 has some issues with CSRF validation.
pip install Flask-WTF==0.13
switowski
commented
7 years ago Latest version of Flask-WTF (0.14.2) seems to have this issue fixed (tested with @egabancho on cdslabs-qa), so we can close it.
egabancho
commented
7 years ago I think this issue is still valid, we didn't tested properly as the error only happens at first login.
Indeed the only version of Flask-WTF that seems to be working is 0.13.1.
cc @pamfilos @ioannistsanaktsidis
tobiashuste
commented
6 years ago I wanted to let you know, that I still experienced problems with CSRF validation in combination with the invenio-userprofiles module.
For the RegistrationForm which did not include invenio-userprofiles everything worked as expected. With invenio-userprofiles enabled, form validation stopped working again. (I used the create_csrf_disabled_registrationform()-function from invenio-oauthclient.)
The problem was, that in the subform created by invenio-userprofiles CSRF-validation was still active. After deleting the csrf_token in the subform and also setting csrf-validation to false, the form validation succeeded.
My current solution is to disable csrf-validation as follows for Flask-WTF>=0.14 for a given form:
def disable_csrf(form):
form.meta.csrf = False
if 'csrf_token' in form:
del form.csrf_token
for f in form:
if isinstance(f, FormField):
disable_csrf(f.form)I wanted to let you know my experience just in case the same situation is valid for invenio-oauthclient.
miltalex
commented
6 years ago I tried to replicate the issue, using Flask-WTF (0.14.2) and invenio-userprofiles(1.0.0b1) and after testing it (with @ntarocco) , create_csrf_disabled_registrationform() seems to working as expected.
lnielsen
commented
6 years ago @tobiasfrust Can you check if you have all the latest releases of packages and see if you are still experiencing the issue. If you still have the issue, further information on exactly how to replicate it would help us a lot in trying to fix it for good.
tobiashuste
commented
6 years ago I just tried to replicate the issue by providing some tests with WTF_CSRF_ENABLED=True. You can see my code changes in this commit.
I just ran the tests with Travis and you can see the result e.g. here. As you can see, form validation fails with the currently used method. I also printed the form to the console, and there was a csrf_token in the userprofiles subform, which is the reason for failing validation I guess.
The output of the print statements is shown here.
In your oauth_register-function your call form.validate(). If I did not miss anything in my tests, the user registration should not succeed because of form.validate()=False. So, there should only be a problem on the very first sign-in.
I also added a second test, which uses an updated way of disabling csrf (https://github.com/tobiasfrust/invenio-oauthclient/blob/21c1189679ce4be89c5ed2dd7db2a53452aa385c/invenio_oauthclient/utils.py#L238-L268). With these changes, form validation succeeds.
If you need further information or if I missed anything, just let me know.
miltalex
commented
6 years ago @tobiasfrust Thank you for the information, we managed to reproduce the issue through the tests and will try to fix it.
For some reason this
evaluates to
False. (To investigate more in depth)cc @pamfilos