I'm creating a product catalog using Flask and Firebase Authentication. I'm following their docs on how to set up both client and server using their pre-built UI and Session Cookies as stated here: https://firebase.google.com/docs/auth/admin/manage-cookies
GET requests work fine, the server verifies the session cookie on each request and sends content accordingly. But when I do a POST request (submitting a form to create a new item, for example) the server is unable to parse the cookie.
I verified using the Chrome Dev Tools that the session cookie sent to the server on both GET and POST requests are the same. Tried several things I've found googling about similar problems but anything worked. I also tried to find a similar question here but I haven't found any.
EDIT: After a few hours looking again at the problem, I've seen that the cookies are NOT the same on the GET and POST request. I've looked at the requests with the Chrome Dev Tools and I've seen that the GET response returns a Set-Cookie header with an invalid cookie (what makes the POST request to have an invalid cookie and redirect again to the login page).
This only happens on pages where login is required (and redirects to login page if you are not logged in), but still I can't find why Flask is sending a Set-Cookie header with an invalid cookie.
EDIT2: After a few more hours, I've found out that removing the CSRF hidden input from the form on those pages fix the cookie problem (the GET request doesn't make a Set-Cookie), so it has to be related with the CSRF thing but I don't know how. There is any special behavior on session cookies when using CSRF that I'm not taking into account?
"New Item" template:
{% extends "layout.html" %}
{% block title %}
New item
{% endblock %}
{% block head %}
{{ super() }}
<link rel="stylesheet" type="text/css" media="screen" href="{{ url_for('static', filename='form.css') }}">
{% endblock %}
{% block content %}
<form action="{{ url_for('newItem') }}" method = 'post'>
<h1>Create a new item</h1>
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<label>Name</label>
<input type='text' size='30' name='name' placeholder="Name" required>
<label>Description</label>
<textarea rows='4' name='description' placeholder="Description" required></textarea>
<label>Price</label>
<input type='text' size='30' name='price' placeholder="Price" required>
<label>Image URI</label>
<input type='text' size='30' name='image' placeholder="https://example.com/image.png" required>
<label>Category</label>
<select name='category' required>
{% for c in categories %}
<option value="{{ c.id }}">{{ c.name }}</option>
{% endfor %}
</select>
<input type='submit' value='Create'>
Cancel
</form>
{% endblock %}
"Login Required" decorator:
def login_required(f):
#wraps(f)
def decorated_function(*args, **kwargs):
session_cookie = request.cookies.get('session')
# Verify the session cookie. In this case an additional check is added to detect
# if the user's Firebase session was revoked, user deleted/disabled, etc.
try:
decoded_claims = auth.verify_session_cookie(session_cookie, check_revoked=True)
return f(*args, **kwargs)
except ValueError as e:
# Session cookie is unavailable or invalid. Force user to login.
print(e)
return redirect(url_for('login', mode="select", signInSuccessUrl=request.url))
except auth.AuthError as e:
# Session revoked. Force user to login.
print(e)
return redirect(url_for('login', mode="select", signInSuccessUrl=request.url))
return decorated_function
"Items" endpoint (works as expected):
#app.route('/items/<int:item_id>/')
def item(item_id):
session = DBSession()
item = session.query(Item).get(item_id)
session_cookie = flask.request.cookies.get('session')
# Verify the session cookie. In this case an additional check is added to detect
# if the user's Firebase session was revoked, user deleted/disabled, etc.
try:
auth.verify_session_cookie(session_cookie, check_revoked=True)
return render_template('item.html', item=item, logged=True)
except ValueError as e:
# Session cookie is unavailable or invalid. Force user to login.
print(e)
return render_template('item.html', item=item, logged=False)
except auth.AuthError as e:
# Session revoked. Force user to login.
print(e)
return render_template('item.html', item=item, logged=False)
"New Item" endpoint (returns a Set-Cookie header with an invalid cookie to GET requests):
#app.route('/items/new/', methods=['GET', 'POST'])
#login_required
def newItem():
session_cookie = flask.request.cookies.get('session')
decoded_claims = auth.verify_session_cookie(session_cookie, check_revoked=True)
session = DBSession()
categories = session.query(Category).all()
if request.method == 'GET':
return render_template('new_item.html', categories=categories, logged=True)
else:
# SOME LOGIC HERE
# [...]
return redirect(url_for('item', item_id = newItem.id))
The error I get on the POST request is the following:
Value Error
Can't parse segment: \���
To solve the problem I changed the cookie name from 'session' to any other name. I don't know why Flask keeps sending Set-Cookie headers for the 'session' cookie, so if anyone knows why please comment it out.
Related
I am just learning to code and this has been driving me crazy. I don't know if I am missing something very simple or have a total misunderstanding about how authentication works (very possibly both), however, i would appreciate someone help.
I have created a login route for my flask app which renders the following and successfully allows a user logging in.
Login Page
If a user successfully logs in, i want to set the Authorization header using a token generated using JWT. I am using the request libary to do this and get a 200 response but everytime i check the network tab, i can not see the token in the 'Authorization' Response Header.
The idea is that once this Header has been set, i can protect my apis by ensuring a token is present and also use that information to ensure that APIs only return data for that user i.e. decrypt the token to work out the user.
Network tab - No Authorization Header
This is my current code. Where am i going wrong? Does my approach sound correct?
#loginsBlueprint.route('/login', methods=['GET', 'POST'])
def login():
error = None
if request.method == 'POST':
user = User.query.filter_by(username=request.form['username']).first()
if user is not None and bcrypt.check_password_hash(user.password, request.form['password']):
token = jwt.encode(
{'user': request.form['username'], 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=15)},
app.config['SECRET_KEY'])
url = 'http://127.0.0.1:5000/login'
headers = {'Authorization': 'Bearer ' + token}
requests.get(url, headers=headers)
return render_template('landing_page.html')
else:
return make_response('Could not verify', 403,
{'WWW-Authenticate': 'Basic realm ="Wrong Password !!"'})
return render_template('login.html', error=error)
login.html
<html>
<head>
<title>Flask Intro - login page</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="static/bootstrap.min.css" rel="stylesheet" media="screen">
</head>
<body>
<div class="container">
<h1>Please login</h1>
<br>
<form action="" method="post">
<input type="text" placeholder="Username" name="username" value="{{
request.form.username }}">
<input type="password" placeholder="Password" name="password" value="{{
request.form.password }}">
<input class="btn btn-default" type="submit" value="Login">
</form>
{% if error %}
<p class="error"><strong>Error:</strong> {{ error }}
{% endif %}
</div>
</body>
</html>
Note: I have tried changing to requests.post but get a 400:
127.0.0.1 - - [30/Mar/2021 21:53:29] "←[31m←[1mPOST /login HTTP/1.1←[0m" 400
I thought it might be because i'm using CORS and so added this in:
CORS(app, expose_headers='Authorization')
A few things which are confusing here:
In the login() method, you make a requests.get() call. So it looks like you're calling a new endpoint from your app. Is that how it should work? To be exact, you seem to check the user's credentials, issue a JWT and then call the /login endpoint of an app listening on port 5000, setting the JWT as the bearer token.
Authorization is a request header. You don't use it in responses to the client. If you want to return the JWT to the client use one of the OAuth flows, either the Code flow (preferably) or the Implicit flow.
Once you'll get the token to your client, then you should use it as you said - set in the Authorization header as a Bearer token. As you're using flask, you can use this filter to secure your APIs.
I have two forms on two pages, one leads to the other. When "Submit" is pressed on page 1 it is supposed to take you to the form on page 2. Page 2 fails with "CSRF verification failed. Request aborted." With the reason being "CSRF cookie not set."
The weird part is that if I go directly to Page 2, it loads fine. If I refresh the page and resubmit the form, I get 403'd again, but if, for example, I go into the address bar and just hit "Enter" to re-visit the page, it loads without the error. What gives?
I am using the most recent version of Django, I am using render in all my views and {% csrf_token %} in all my form tags.
Why would revisiting the page be fixing the 403 error? No login or authentication is happening between the forms. In fact, I don't even do anything with the data submitted in page 1 (yet).
Relevant code is as follows:
Page 1 Template:
<div class="">
<div class="">
<h1>Page 1</h1>
<p>What's up?</p>
<form action="{% url 'core:getPageTwo' %}" method="post">
{% csrf_token %}
{{ form }}
<input class="yellow_button" type="submit" value="Submit">
</form>
</div>
</div>
Page 2 View:
def getPageTwo(request):
form = SomeForm()
context = {'form' : form}
return render (request, 'core/page_two.html', context)
Page 2 Template:
<div class="">
<div class="">
<h1>Page 2</h1>
<form action="#" method="post">
{% csrf_token %}
{{ form }}
</form>
</div>
</div>
Found it. My HTTPS was messing up. So the fact that I had CSRF_COOKIE_SECURE = TRUE was messing up all attempts to send a cookie.
In addition to your answer #thrillhouse :
CSRF_COOKIE_SECURE=True makes the csrf token only work with ssl, like the docs also say:
Whether to use a secure cookie for the CSRF cookie. If this is set to True, the cookie will be marked as “secure,” which means browsers may ensure that the cookie is only sent with an HTTPS connection.
So when you switch back to HTTPS connection, you should turn the value back to True.
I have a form that you need to fill out using a POST request, but I want to the result to be a redirection to various pages on my site. Sometimes I want the user to be redirected to a profile page, sometimes to a purchase page.
So I put the redirect URI in the GET params of the URL of the form page that POSTs:
/form/?redirect_uri=/payments/
The url is correct upon landing on the forms page, with the appropriate redirect_uri. However, when I fill out the form and POST, Django doesn't seem to think there are any params in the GET request.
How can I get those params from the URL out on a POST request?
EDIT:
def form_view(request):
if request.method == "POST":
# Do stuff with form validation here
redirect_uri = "/home/"
if "redirect_uri" in request.GET:
redirect_uri = request.GET['redirect_uri']
if redirect_uri == request.path:
# avoid loops
redirect_uri = "/home/"
return redirect(redirect_uri)
This form page is loaded by accessing this url:
/form/?redirect_uri=/payments/
Form:
<form action="/form/" method="POST" class="wizard-form" enctype="application/x-www-form-urlencoded" autocomplete="off">
{% csrf_token %}
<fieldset class="form-group">
<label for="email">Email address</label>
<input name="email" type="text" class="form-control" id="email" placeholder="Enter email or username" required>
</fieldset>
<button type="submit" class="btn btn-primary">Go</button>
</form>
Your form has to be modified as follows:
<form action="/form/?redirect_uri={{ request.GET.redirect_url}}"
method="POST" class="wizard-form"
enctype="application/x-www-form-urlencoded" autocomplete="off">
Permit me to also suggest a slight optimization to your view
def form_view(request):
if request.method == "POST":
# Do stuff with form validation here
redirect_uri = request.GET.get('redirect_uri',"/home/")
if "redirect_uri" == request.path:
# avoid loops
redirect_uri = "/home/"
return redirect(redirect_uri)
In the POST request - i.e. when you submit the form - the url will be what you specified in the 'action' attribute in the form. If the parameters you require are not there, your view will not get them.
So either update your forms's action attribute to have these parameters or alternatively you can add thin in the form itself (as hidden inputs).
In GET request you will get attributes from url that you see in the browser.
I want to add unit tests to my flask app that tests form behavior on valid and invalid logins + signups. Currently, I have the signup form and a login form hosted on one page and route, and am using a hidden input field to identify which of the two forms is submitted / determine next actions.
My question is - how do I write a unit test that targets a specific form on a page? All the examples I've seen so far post data to a specific route, which is currently what I am doing. But that is failing because I need an added way to say "and we're submitting x form".
So is there a way to add "and we're submitting x form" in the post request?
**
edited to add, here are the different ways I've tried to pass the hidden form data in the post data dict, with no success.
data = dict(username="test#gmail.com", password="test", login_form)
data = dict(username="test#gmail.com", password="test", "login_form")
data = dict(username="test#gmail.com", password="test", login_form=True)
login unit test:
from app import app
import unittest
class FlaskTestCase(unittest.TestCase):
#ensure that login works with correct credentials
def test_correct_login(self):
tester = app.test_client(self)
response = tester.post(
'/login',
data = dict(username="test#gmail.com", password="test"),
follow_redirects=True
)
self.assertIn(b'you are logged in', response.data)
login route in views.py:
#app.route('/login', methods=['POST', 'GET'])
def login():
login_form = LoginForm()
signup_form = SignupForm()
error_login = ''
error_signup = ''
#login form
if 'login_form' in request.form and login_form.validate():
# do login form stuff
#signup form
if 'signup_form' in request.form and signup_form.validate():
# do signup form stuff
return render_template('login.html', login_form=login_form, signup_form=signup_form, error=error)
login.html:
<div class="login-form form-400">
<h3>Log In To Your Account</h3>
<form action="" method="post">
<input type="hidden" name="login_form">
{% if error_login != '' %}
<label class="error">
{{ error_login }}
</label>
{% endif %}
{% from "_formhelper.html" import render_field %}
{{ login_form.hidden_tag() }}
{{ render_field(login_form.email, placeholder="Your Email", class="form-item__full", type="email") }}
{{ render_field(login_form.password, placeholder="Your Password", class="form-item__full") }}
<input type="submit" value="Login" class="button button-blue">
</form>
</div>
<p class="login-divider">or</p>
<div class="signup-form form-400">
<h3>Create a New Account</h3>
<form action="" method="post">
<input type="hidden" name="signup_form">
{% if error_signup != '' %}
<label class="error">
{{ error_signup | safe}}
</label>
{% endif %}
{% from "_formhelper.html" import render_field %}
{{ signup_form.hidden_tag() }}
{{ render_field(signup_form.username, placeholder="Pick a Username", class="form-item__full") }}
{{ render_field(signup_form.email, placeholder="Your Email", class="form-item__full", type="email") }}
{{ render_field(signup_form.password, placeholder="Create a Password", class="form-item__full") }}
<input type="submit" value="Sign Up" class="button button-green">
</form>
</div>
Ok I figured it out. To pass the login_form info, I had to end up passing an empty string on the login_form like this:
def test_correct_login(self):
tester = app.test_client(self)
response = tester.post(
'/login',
data = dict(username="test#gmail.com", password="test", login_form=""),
follow_redirects=True
)
self.assertIn(b'you are logged in', response.data)
I did this by throwing a print request.form in my views.py for this route and then saw the empty string.
It was still failing, but because the login_form.validate() was failing because of the csrf token added by the WTForms module. In the end, this discussion had the answer.
Flask-WTF / WTForms with Unittest fails validation, but works without Unittest
Thanks #drdrez for your suggestions!
Update:
Thanks for updating your question with what you've already tried! I have a few other ideas about what's causing the issue.
Let's continue to look at the HTML and try to understand the technologies your program is built on top of. In the server side login.html file, notice these lines:
{% from "_formhelper.html" import render_field %}
{{ login_form.hidden_tag() }}
{{ render_field(login_form.email, placeholder="Your Email", class="form-item__full", type="email") }}
{{ render_field(login_form.password, placeholder="Your Password", class="form-item__full") }}
It isn't HTML, and is probably being processed on the server side to produce HTML and serve to the client. The line that contains login_form.hidden_tag() looks interesting, so I would recommend loading this page in your browser and inspecting the HTML served to the client. Unfortunately, I haven't used Flask before, so I can't give any more direct help.
However, my advice is to continue digging into how Flask and the HTML Form works. The nice thing about Python is you have access to libraries' source code, which allows you to figure out how they work so you can learn how to use them and fix bugs in your application that uses them.
Sorry I can't give you more direct help, good luck!
Let's look at login.html. When you submit a form, how does the login route in views.py know which form was submitted? If you know HTML Forms, <input> elements nested in a form are used to, in this case, post data to your server/application.
Back to login.html, notice these two lines:
...
<h3>Log In To Your Account</h3>
<input type="hidden" name="login_form">
...
<h3>Create a New Account</h3>
<form action="" method="post">
<input type="hidden" name="signup_form">
...
Those are <input> elements, with a type of "hidden", so they won't display, with names of "login_form" and "signup_form", which are included in the data that is submitted by the form.
Now in the login route in views.py, you'll notice there two lines:
#login form
if 'login_form' in request.form and login_form.validate():
# do login form stuff
#signup form
if 'signup_form' in request.form and signup_form.validate():
# do signup form stuff
Those are testing to see if the phrase "login_form" or "signup_form" are in present in the list request.form. Back to your unit test now:
response = tester.post(
'/login',
data = dict(username="test#gmail.com", password="test"),
follow_redirects=True
)
Notice the data you are passing in the dict, this is mimicking the form data, so you should probably include either "login_form" or "signup_form" to mimic the behavior of the HTML form correctly.
If you're unfamiliar with HTML Forms and HTTP Post, I would suggest searching for some tutorials, or just reading documentation on MDN or elsewhere. When building software on top of a technology (like HTTP and HTML), it can be helpful to understand how those technologies work when you run into bugs in your own software.
Hope this helps, let me know if I can clarify anything!
You might be experiencing a problem because you have not flagged the request as being of the form application content type. I note you are trying to access request.form, which requires that the data package is parsed in a certain way. You could try to do something like the following:
response = tester.post(
'/login',
data = dict(username="test#gmail.com", password="test"),
follow_redirects=True,
headers = {"Content-Type":"application/x-www-form-urlencoded"}
)
I'm using Flask-WTF:
Here is my form:
from flask.ext.wtf import Form, TextField
class BookNewForm(Form):
name = TextField('Name')
Here is the controller:
#book.route('/book/new', methods=['GET', 'POST'])
def customers_new():
form = BookNewForm()
if form.is_submitted():
print "submitted"
if form.validate():
print "valid"
if form.validate_on_submit():
flash("Successfully created a new book")
return redirect(url_for('.books_show'))
return render_template('views/books_new.html', form=form)
Now the problem is, if you look at my print statements, it always prints submitted, but it NEVER prints valid and validate_on_submit() is never executed. Why?
You're not inserting the CSRF field in the HTML form.
<form method=post>
{{ form.csrf_token }}
{{ form.name }}
<input type=submit>
</form>
After adding form.csrf_token to the template (docs), the form will validate as expected.
Add print(form.errors) after validating the form to see the errors that were raised. errors will be empty before validation. In this case, there is an error about missing
#book.route('/book/new_no_csrf', methods=['GET', 'POST'])
def customers_new_no_csrf():
form = BookNewForm()
print(form.errors)
if form.is_submitted():
print("submitted")
if form.validate():
print("valid")
print(form.errors)
if form.validate_on_submit():
flash("Successfully created a new book")
return redirect(url_for('.books_show'))
return render_template('books_new.html', form=form)
{}
submitted
{'csrf_token': [u'CSRF token missing']}
127.0.0.1 - - [29/May/2012 02:01:08] "POST /book/new_no_csrf HTTP/1.1" 200 -
127.0.0.1 - - [29/May/2012 02:01:08] "GET /favicon.ico HTTP/1.1" 404 -
I created an example on GitHub.
you can print errors
print form.errors
or
app.logger.debug(form.errors)
and if you got csrf-error, you should set form.csrf_token in your template.
I came across this when trying to render a FormField being iterated over my FieldList in my template. I had to embed two hidden_tag elements one for the FieldList form and one for the FieldForm form, search the template comments for keyword "HIDDEN TAG"
class ParamRangeForm( FlaskForm ):
minX = FloatField( )
maxX = FloatField( )
class ParamRangesForm( FlaskForm ):
paramRanges = FieldList( FormField( ParamRangeForm ) )
submit = SubmitField( 'Submit' )
def loadParams( self ) :
for paramName in ["p1" , "p2" , "p3", "p4"] :
prf = ParamRangeForm( )
prf.minX = -100.9#float('-inf')
prf.maxX = 100.5#float('-inf')
self.paramRanges.append_entry( prf )
...
<form action="" method="POST" enctype="multipart/form-data">
{{ rangesForm.hidden_tag() }} <!--#### HIDDEN TAG #1 -->
<table>
<!--Print Column Headers-->
<thead>
<tr>
<th class="ColumnHeader">Parameter</td>
<th class="ColumnHeader">Min</td>
<th class="ColumnHeader">Max</td>
</tr>
</thead>
<!--Print Parameter Rows-->
<tbody>
{% for paramRange in rangesForm.paramRanges %}
<tr>
{{ paramRange.hidden_tag() }} <!--#### HIDDEN TAG #2 -->
<td>p{{ loop.index }}</td>
<td>{{ paramRange.minX }}</td>
<td>{{ paramRange.maxX }}</td>
</tr>
{% endfor %}
</tbody>
</table>
</div>
{{ rangesForm.submit() }}
</form>
insert this after the tag in template html file:
{{ form.csrf_token }}
I was clearing the flask session if I wasn't logged in before every request. This was causing this issue.
#main.before_request
def before_request():
if not current_user.is_authenticated():
# TODO clean sessions may cause CSRF missing issue
session.clear()
print "Session Cleared"
return redirect(url_for('auth.login'))
I think the API has changed.Maybe try changing
from flask.ext.wtf import Form
to:
from flask_wtf import Form
I spent a several hours debugging a validation issue with Flask-WTF. The issue like many others was a CSRF validation issue. However, mine was not caused by any of the common issues I have found.
The standard Flask-WTF implementation of CSRF requires two things be delivered to the browser.
One: The hidden CSRF form field e.g.
<input id="csrf_token" name="csrf_token" type="hidden" value="ImYzODdmZTdhYTRlMmNkYWRjYmRlYWFmZjQxMDllZTQ1OWZmYzg3MTki.XKvOPg.gUCkF9j-vg0PrL2PRH-v43GeHu0">
Two: The session cookie HTTP response header e.g.
Set-Cookie: session=eyJjc3JmX3Rva2VuIjoiZjM4N2ZlN2FhNGUyY2RhZGNiZGVhYWZmNDEwOWVlNDU5ZmZjODcxOSJ9.XKvOPg.a3-W62MHvaGVkv2GYCi-dgpLE3Y; HttpOnly; Path=/
If either of these are missing the browser will fail to send the proper CSRF validation. Of course, this in turn causes the form validation to fail.
If the csrf_token hidden field is present in the form but the session cookie is missing, you will receive the following response when the form is submitted...
Bad Request
The CSRF session token is missing.
In my case the session cookie was missing because of a bug in my code. I needed to serve a custom HTTP header across the entire Flask site. I included it like this...
class LocalFlask(Flask):
def process_response(self, response):
response.headers['my-header'] = 'My Header Value'
return response
app = LocalFlask(__name__)
This however causes anything that rellys on the the Flask.response.headers method to fail. One of those is Flaks-WTF setting the session cookie HTTP header.
This can be solved by adding the super() method to the LocalFlask class so that it inherits methods form the Flask class.
class LocalFlask(Flask):
def process_response(self, response):
response.headers['my-header'] = 'My Header Value'
#LocalFlask inherits methods from Flask
super(LocalFlask, self).process_response(response)
return response
app = LocalFlask(__name__)
Well I tried all the solutions mentioned
form.hidden_tag()
form.csrf_token
form.csrf
with
app.secret_key=""
app.config["SECRET_KEY"]=""
but form.validate_on_submit() always returned false.
None of these seem to work for me, so I used the basic method and this method
import request
request.method="POST"
or
form.is_submitted()
These two worked for me