cern: `account_setup` not working about invenio-oauthclient HOT 9 CLOSED

The default form validation stopped working: https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/utils.py#L117

from invenio-oauthclient.

It looks like Flask-WTF>=0.14 has some issues with CSRF validation.

pip install Flask-WTF==0.13

from invenio-oauthclient.

Latest version of Flask-WTF (0.14.2) seems to have this issue fixed (tested with @egabancho on cdslabs-qa), so we can close it.

from invenio-oauthclient.

I think this issue is still valid, we didn't tested properly as the error only happens at first login.
Indeed the only version of Flask-WTF that seems to be working is 0.13.1.

cc @pamfilos @ioannistsanaktsidis

from invenio-oauthclient.

I wanted to let you know, that I still experienced problems with CSRF validation in combination with the invenio-userprofiles module.
For the RegistrationForm which did not include invenio-userprofiles everything worked as expected. With invenio-userprofiles enabled, form validation stopped working again. (I used the create_csrf_disabled_registrationform()-function from invenio-oauthclient.)

The problem was, that in the subform created by invenio-userprofiles CSRF-validation was still active. After deleting the csrf_token in the subform and also setting csrf-validation to false, the form validation succeeded.

My current solution is to disable csrf-validation as follows for Flask-WTF>=0.14 for a given form:

def disable_csrf(form):
  form.meta.csrf = False
  if 'csrf_token' in form:
    del form.csrf_token
    for f in form:
      if isinstance(f, FormField):
        disable_csrf(f.form)

I wanted to let you know my experience just in case the same situation is valid for invenio-oauthclient.

from invenio-oauthclient.

I tried to replicate the issue, using Flask-WTF (0.14.2) and invenio-userprofiles(1.0.0b1) and after testing it (with @ntarocco) , create_csrf_disabled_registrationform() seems to working as expected.

from invenio-oauthclient.

@tobiasfrust Can you check if you have all the latest releases of packages and see if you are still experiencing the issue. If you still have the issue, further information on exactly how to replicate it would help us a lot in trying to fix it for good.

from invenio-oauthclient.

I just tried to replicate the issue by providing some tests with WTF_CSRF_ENABLED=True. You can see my code changes in this commit.

I just ran the tests with Travis and you can see the result e.g. here. As you can see, form validation fails with the currently used method. I also printed the form to the console, and there was a csrf_token in the userprofiles subform, which is the reason for failing validation I guess.
The output of the print statements is shown here.

In your oauth_register-function your call form.validate(). If I did not miss anything in my tests, the user registration should not succeed because of form.validate()=False. So, there should only be a problem on the very first sign-in.

I also added a second test, which uses an updated way of disabling csrf (https://github.com/tobiasfrust/invenio-oauthclient/blob/21c1189679ce4be89c5ed2dd7db2a53452aa385c/invenio_oauthclient/utils.py#L238-L268). With these changes, form validation succeeds.

If you need further information or if I missed anything, just let me know.

from invenio-oauthclient.

@tobiasfrust Thank you for the information, we managed to reproduce the issue through the tests and will try to fix it.

from invenio-oauthclient.