Closed egabancho closed 6 years ago
The default form validation stopped working: https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/utils.py#L117
It looks like Flask-WTF>=0.14 has some issues with CSRF validation.
pip install Flask-WTF==0.13
Latest version of Flask-WTF
(0.14.2) seems to have this issue fixed (tested with @egabancho on cdslabs-qa
), so we can close it.
I think this issue is still valid, we didn't tested properly as the error only happens at first login.
Indeed the only version of Flask-WTF that seems to be working is 0.13.1
.
cc @pamfilos @ioannistsanaktsidis
I wanted to let you know, that I still experienced problems with CSRF validation in combination with the invenio-userprofiles
module.
For the RegistrationForm which did not include invenio-userprofiles
everything worked as expected. With invenio-userprofiles enabled, form validation stopped working again. (I used the create_csrf_disabled_registrationform()-function from invenio-oauthclient
.)
The problem was, that in the subform created by invenio-userprofiles
CSRF-validation was still active. After deleting the csrf_token
in the subform and also setting csrf-validation to false, the form validation succeeded.
My current solution is to disable csrf-validation as follows for Flask-WTF>=0.14
for a given form:
def disable_csrf(form):
form.meta.csrf = False
if 'csrf_token' in form:
del form.csrf_token
for f in form:
if isinstance(f, FormField):
disable_csrf(f.form)
I wanted to let you know my experience just in case the same situation is valid for invenio-oauthclient
.
I tried to replicate the issue, using Flask-WTF
(0.14.2) and invenio-userprofiles
(1.0.0b1) and after testing it (with @ntarocco) , create_csrf_disabled_registrationform() seems to working as expected.
@tobiasfrust Can you check if you have all the latest releases of packages and see if you are still experiencing the issue. If you still have the issue, further information on exactly how to replicate it would help us a lot in trying to fix it for good.
I just tried to replicate the issue by providing some tests with WTF_CSRF_ENABLED=True
. You can see my code changes in this commit.
I just ran the tests with Travis and you can see the result e.g. here. As you can see, form validation fails with the currently used method. I also printed the form to the console, and there was a csrf_token
in the userprofiles subform, which is the reason for failing validation I guess.
The output of the print statements is shown here.
In your oauth_register-function your call form.validate()
. If I did not miss anything in my tests, the user registration should not succeed because of form.validate()=False
. So, there should only be a problem on the very first sign-in.
I also added a second test, which uses an updated way of disabling csrf (https://github.com/tobiasfrust/invenio-oauthclient/blob/21c1189679ce4be89c5ed2dd7db2a53452aa385c/invenio_oauthclient/utils.py#L238-L268). With these changes, form validation succeeds.
If you need further information or if I missed anything, just let me know.
@tobiasfrust Thank you for the information, we managed to reproduce the issue through the tests and will try to fix it.
For some reason this
evaluates to
False
. (To investigate more in depth)cc @pamfilos