UsernamePasswordProvider badRequest CSRF

jaliss / securesocial

A module that provides OAuth, OAuth2 and OpenID authentication for Play Framework applications

http://www.securesocial.ws

Apache License 2.0

1.19k stars 510 forks source link

UsernamePasswordProvider badRequest CSRF #599

Closed buddhabuddy closed 7 years ago

buddhabuddy commented 7 years ago

When there's an empty field in the login page a badRequest is thrown in UsernamePasswordProvider. The login form has a @CSRF.formField so fails to render without CSRFAddToken at:

Results.BadRequest(viewTemplates.getLoginPage(f, msg))

How would I get a token to the render?

jaliss commented 7 years ago

@buddhabuddy the login page in the sample app gets the token rendered when you fail to enter one of the fields. Could you compare/share your page to see what could be causing the problem?

buddhabuddy commented 7 years ago

its true it does. Sorry am on 2.5.x so its a problem somewhere dealing with injection of CSRFAddToken.