Comments (9)
The default form validation stopped working: https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/utils.py#L117
from invenio-oauthclient.
It looks like Flask-WTF>=0.14 has some issues with CSRF validation.
pip install Flask-WTF==0.13
from invenio-oauthclient.
Latest version of Flask-WTF
(0.14.2) seems to have this issue fixed (tested with @egabancho on cdslabs-qa
), so we can close it.
from invenio-oauthclient.
I think this issue is still valid, we didn't tested properly as the error only happens at first login.
Indeed the only version of Flask-WTF that seems to be working is 0.13.1
.
cc @pamfilos @ioannistsanaktsidis
from invenio-oauthclient.
I wanted to let you know, that I still experienced problems with CSRF validation in combination with the invenio-userprofiles
module.
For the RegistrationForm which did not include invenio-userprofiles
everything worked as expected. With invenio-userprofiles enabled, form validation stopped working again. (I used the create_csrf_disabled_registrationform()-function from invenio-oauthclient
.)
The problem was, that in the subform created by invenio-userprofiles
CSRF-validation was still active. After deleting the csrf_token
in the subform and also setting csrf-validation to false, the form validation succeeded.
My current solution is to disable csrf-validation as follows for Flask-WTF>=0.14
for a given form:
def disable_csrf(form):
form.meta.csrf = False
if 'csrf_token' in form:
del form.csrf_token
for f in form:
if isinstance(f, FormField):
disable_csrf(f.form)
I wanted to let you know my experience just in case the same situation is valid for invenio-oauthclient
.
from invenio-oauthclient.
I tried to replicate the issue, using Flask-WTF
(0.14.2) and invenio-userprofiles
(1.0.0b1) and after testing it (with @ntarocco) , create_csrf_disabled_registrationform() seems to working as expected.
from invenio-oauthclient.
@tobiasfrust Can you check if you have all the latest releases of packages and see if you are still experiencing the issue. If you still have the issue, further information on exactly how to replicate it would help us a lot in trying to fix it for good.
from invenio-oauthclient.
I just tried to replicate the issue by providing some tests with WTF_CSRF_ENABLED=True
. You can see my code changes in this commit.
I just ran the tests with Travis and you can see the result e.g. here. As you can see, form validation fails with the currently used method. I also printed the form to the console, and there was a csrf_token
in the userprofiles subform, which is the reason for failing validation I guess.
The output of the print statements is shown here.
In your oauth_register-function your call form.validate()
. If I did not miss anything in my tests, the user registration should not succeed because of form.validate()=False
. So, there should only be a problem on the very first sign-in.
I also added a second test, which uses an updated way of disabling csrf (https://github.com/tobiasfrust/invenio-oauthclient/blob/21c1189679ce4be89c5ed2dd7db2a53452aa385c/invenio_oauthclient/utils.py#L238-L268). With these changes, form validation succeeds.
If you need further information or if I missed anything, just let me know.
from invenio-oauthclient.
@tobiasfrust Thank you for the information, we managed to reproduce the issue through the tests and will try to fix it.
from invenio-oauthclient.
Related Issues (20)
- Oauth register should not require email confirmation HOT 1
- no error if registration is disabled and login/signup is attempted with an oauth identity not linked to local account
- ReadTheDocs version does not match repository
- Configurable authorization/token endpoints HOT 4
- Cascade user deletion in related rows of tables of this module
- Faulty logic in disconnect external account check HOT 1
- ORCiD and Keycloak integrations not working
- form is getting `None` values by default
- contrib login: silent failure when username exists HOT 1
- Github: automatically confirm an user logged in with Github HOT 2
- CERN contrib: roles not updated when logging in with a token
- Make `realm` optional for single VO instances in invenio_oauthclient/contrib/keycloak HOT 2
- update AAI endpoints/config HOT 2
- Conflicting versions for uritemplate library
- rest logout url
- Multiple remotes with logout
- UserNeed on email creates permissions issues
- New Keycloak realm_url (without auth prefix)
- CILOGON integration
- Excessive Permissions Requested for GitHub Authentication
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from invenio-oauthclient.