flask-ldap3-login icon indicating copy to clipboard operation
flask-ldap3-login copied to clipboard

Published 20 hours ago verified publisher icon nickw444

CSRF must be initialized

Open eljeffeg opened this issue 2 years ago • 4 comments

I'm having an issue where only one user can log in at any time. Trying to track down the issue, it seems to be failing during form validation (before getting to ldap - which authenticates successfully). The issue seems to be the CSRF.

Reasons: '{'csrf_token': ['The CSRF session token is missing.']}'

However, I'm supplying the {{ form.csrf_token }} (also tried {{ form.hidden_tag() }}) and I can see the token on the request.form. Is something not getting passed into LDAPLoginForm?

If I run form.validate_ldap() it returns True, but if I just run form.validate() it is False. Username, Password, and CSRF are supplied. I'm following the documentation.

Also tagging azmeuk who might be able to provide some insight as the dev on flask-wtf

eljeffeg avatar Jul 14 '22 21:07 eljeffeg

~~Solved - The issue was that the CSRF has to be initialized as described in Flask-WTF CSRF Setup. This should be noted in the docs.~~

eljeffeg avatar Jul 18 '22 18:07 eljeffeg

This is a bug in the documentation, so I'm reopening this issue to track that update.

gmacon avatar Jul 18 '22 23:07 gmacon

I'm still trying to figure out some issues with the login form where I was getting "Bad Request The CSRF Token has expired". Which seems odd since the login should set the session and CSRF token, but hope to figure that out. Would be great to have an example of how it should work :)

eljeffeg avatar Jul 19 '22 00:07 eljeffeg

I think I was able to finally resolve my issue, which required adding threads to gunicorn, but this is an issue with flask-wtf as a whole, not flask-ldap3-login. Still good to document the initialization though. :)

eljeffeg avatar Jul 31 '22 21:07 eljeffeg