The CSRF session token is missing.

[TomeCirun]

Actual Behavior

Everything works fine when the user is logged in, 400 Bad Request happens when I try to log the user in... same behavior is when I try to register a user (csrf_token is missing in the session when the user is anonymous)... have I missed something to configure maybe?

Note: We are not using the wtforms, we have our own custom scheme.

Thanks!

Environment

• Python version: Python 3.9.12
• wtforms version: Flask-WTF==1.0.1
• Flask version: Flask==2.0.3

[azmeuk]

Hi. Please provide a reproducible example of your issue, ideally some piece of code we can copy/paste so we can see the behavior you are describing. Your messages just don't contain enough information so we can help you.

Note: We are not using the wtforms, we have our own custom scheme.

I don't understand. Are you or are you not using wtforms?

[TomeCirun]

@azmeuk Thanks for your quick reply, I now realized that I opened the issue in the wrong repo, it was meant for flask_wtf can we move this issue to flask_wtf please, or should I close here and reopen it in flask-wtf?

btw we are only using the CSRF protection, without wtforms, as I said. we have our own custom schema.

Thanks!

[azmeuk]

As I said earlier, we cannot help you unless you tell us very precisely how to reproduce the bug you are encountering.

[TomeCirun]

I was following the documentation and initialized the CSRFProtect as stated in it:

csrf = CSRFProtect()
csrf.init_app(app)

and as stated in the documentation i m rendering the hidden input with the token in the form :
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>

I also exempt the blueprints that come from the extensions, I want to implement csrf_protection on the CKAN core first, so we can give more space to the extension's maintainers for implementation, without breaking the app.

Nothing more is added.

[azmeuk]

I still do not have enough data to fully understand your bug. Please provide a piece of code I can just copy/paste, or a repository I can clone.

[TomeCirun]

@azmeuk here is the repo -> https://github.com/ckan/ckan if you need some help, please let me know.

Thanks

[TomeCirun]

I come up with a quick fix, though, I m not sure if this is the best solution.

i m calling this function from before_request, there is a raw token in the request.form.get('csrf_token') the one that was missing is from the session when trying to login/register.. and I cant figure it why ...

[TomeCirun]

@azmeuk I think this function might be our problem.
https://github.com/ckan/ckan/blob/86547a5d35c4a3b3b54de598a34f88125417097e/ckan/config/middleware/flask_app.py#L343

I set two breakpoints(), one inside ckan_before_request and one in ckan_after_request.

In ckan_before_request I can print the request.form, and also I m seeing the token, though, not in the session, also the response is 400 (this probably comes from def csrf_protect).

When the breakpoint stops on the ckan_after_request only then i can see the csrf_token set in the session, but it's too late, I m already 400.

Seems like our forms are late with generating the token and yet I m not sure how I see it in the request.form

What is your opinion on this?