Open TomeCirun opened 2 years ago
Hi. Please provide a reproducible example of your issue, ideally some piece of code we can copy/paste so we can see the behavior you are describing. Your messages just don't contain enough information so we can help you.
Note: We are not using the wtforms, we have our own custom scheme.
I don't understand. Are you or are you not using wtforms?
@azmeuk Thanks for your quick reply, I now realized that I opened the issue in the wrong repo, it was meant for flask_wtf
can we move this issue to flask_wtf
please, or should I close here and reopen it in flask-wtf?
btw we are only using the CSRF protection, without wtforms, as I said. we have our own custom schema.
Thanks!
As I said earlier, we cannot help you unless you tell us very precisely how to reproduce the bug you are encountering.
I was following the documentation and initialized the CSRFProtect as stated in it:
csrf = CSRFProtect()
csrf.init_app(app)
and as stated in the documentation i m rendering the hidden input with the token in the form :
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
I also exempt the blueprints that come from the extensions, I want to implement csrf_protection
on the CKAN core first, so we can give more space to the extension's maintainers for implementation, without breaking the app.
Nothing more is added.
I still do not have enough data to fully understand your bug. Please provide a piece of code I can just copy/paste, or a repository I can clone.
@azmeuk here is the repo -> https://github.com/ckan/ckan if you need some help, please let me know.
Thanks
I come up with a quick fix, though, I m not sure if this is the best solution.
i m calling this function from before_request
, there is a raw token in the request.form.get('csrf_token') the one that was missing is from the session when trying to login/register.. and I cant figure it why ...
@azmeuk I think this function might be our problem. https://github.com/ckan/ckan/blob/86547a5d35c4a3b3b54de598a34f88125417097e/ckan/config/middleware/flask_app.py#L343
I set two breakpoints(), one inside ckan_before_request and one in ckan_after_request.
In ckan_before_request I can print the request.form, and also I m seeing the token, though, not in the session, also the response is 400 (this probably comes from def csrf_protect
).
When the breakpoint stops on the ckan_after_request only then i can see the csrf_token set in the session, but it's too late, I m already 400.
Seems like our forms are late with generating the token and yet I m not sure how I see it in the request.form
What is your opinion on this?
hello, I have followed this advice https://stackoverflow.com/questions/69408733/using-flask-wtf-csrf-without-wtf-forms it works fine I think when logging in but when logging out, I get bad request, missing csrf token so I added the hidden input field with value the csrf token and the error message changes to The browser (or proxy) sent a request that this server could not understand., how do i implement this during logging out?
Hi, I am facing flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing. How to fix it in pgadmin stack in portainer.
Actual Behavior
Everything works fine when the user is logged in,
400 Bad Request
happens when I try to log the user in... same behavior is when I try to register a user (csrf_token
is missing in the session when the user is anonymous)... have I missed something to configure maybe?Note: We are not using the
wtforms
, we have our own custom scheme.Thanks!
Environment