python - Flask-wtf: csrf_token is removed from session before I can POST my form -

-

i'm using flask flask-security (specifically flask-wtf regarding csrf issue) "ease" process of register/loggin users (not easy far). i'm using backbonejs on front-end, therefore kind of hacked original way use flask-wtf. indeed, make ajax request on /register register page (generated flask-security) , put resulting html in modal.

render: function () {             var self = this;             $.ajax({                 type: 'get',                 url: config.constants.servergateway + "/register"             }).done(function(result){                 console.log("get register done", result);                 var html = self.template({ config: config, form: result });                 self.$el.html(html);             }).fail(function(error){                 console.log("could not register token", error);                 var html = this.errortemplate({ config: config });                 self.$el.html(html);             });              return this;         }

this way have generated csrf, , when post registration data, send right csrf along user data (email , password).

submit: function () {             console.log("submit");             var self = this;             var formdata = this.$el.find('form').serialize();             $.ajax({                 type: 'post',                 url: config.constants.servergateway + "/register",                 data: formdata,                 datatype: 'json'             }).done(function(result){                 self.trigger('close');             }).fail(function(error){                 console.log("could not submit register data", error);             });         }

on server-side, can debug python code see csrf_token has been generated when requested register page has disappeared session object, therefore leading generation of new one, of course didn't match 1 send form. session still same though, _id same during , post.

you can see code in flask_wtf/csrf.py::generate_csrf(), called when creating form object in ::register function flask_security/views.py

if 'csrf_token' not in session:     session['csrf_token'] = hashlib.sha1(os.urandom(64)).hexdigest()

it results in csrf token missing error.

an additionnal information, front-end , back-end delivered same server, have different port number.

last, when use href on front-end , display page returned server on 'get' request, submitting form works well. liked display registration form in modal.

thanks help

okay, figured out solution problem. feel noob (which am).

the problem lied in session credentials not sent server requests, server coudldn't access session cookie. found solution in following tutorial: http://backbonetutorials.com/cross-domain-sessions/ send it, added following lines in backbone router initialize function:

// use withcredentials send server cookies // server must allow through response headers $.ajaxprefilter( function( options, originaloptions, jqxhr ) {     options.xhrfields = {         withcredentials: true     }; });

this makes ajax requests include withcredentials = true. on server-side, had set access-control-allow-credentials:true. since i'm using flask-cors, done [supports_credentials=true][2] when creating cors object.


Comments

Post a Comment

Popular posts from this blog

Java 3D LWJGL collision -

-
i making 3d java game lwjgl library, , wondering how add collision detection, player not go through models. i using obj models. here objloader class, loads models: package renderengine; import java.io.bufferedreader; import java.io.file; import java.io.filenotfoundexception; import java.io.filereader; import java.util.arraylist; import java.util.list; import models.rawmodel; import org.lwjgl.util.vector.vector2f; import org.lwjgl.util.vector.vector3f; public class objloader { public static rawmodel loadobjmodel(string filename, loader loader){ filereader fr = null; try { fr = new filereader(new file("res/"+filename+".obj")); } catch (filenotfoundexception e) { system.err.println("couldn't load file!"); e.printstacktrace(); } bufferedreader reader = new bufferedreader(fr); string line; list<vector3f> vertices = new arraylist<vector3f...
Read more

spring - SubProtocolWebSocketHandler - No handlers -

-
i have ugly error during deploying spring app on jboss. 18:11:16,025 error [org.apache.catalina.core.containerbase.[jboss.web].[default-host].[/consumer]] (msc service thread 1-7) exception sending context initialized event listener instance of class org.springframework.web.context.contextloaderlistener: org.springframework.context.applicationcontextexception: failed start bean 'subprotocolwebsockethandler'; nested exception java.lang.illegalargumentexception: no handlers @ org.springframework.context.support.defaultlifecycleprocessor.dostart(defaultlifecycleprocessor.java:176) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor.access$200(defaultlifecycleprocessor.java:51) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor$lifecyclegroup.start(defaultlifecycleprocessor.java:346) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.s...
Read more

methods - python can't use function in submodule -

-
my folder structure this: pythonstuff/ program.py modulea/ __init__.py foo.py bar.py here's code bar.py : def hello(): print("hello, world!") here's code program.py : #!/usr/bin/env python3 modulea import bar bar.hello() i run $ python3 program.py somehow error: file "program.py", line 3, in <module> bar.hello() attributeerror: 'module' object has no attribute 'hello' edit: __init__.py file empty. edit2: after trying realized had bar.py in root directory contained hello() method. bar.py in modulea/ directory empty. add it import os __all__ = [] module in os.listdir(os.path.dirname(__file__)): if module != '__init__.py' , module[-3:] == '.py': __all__.append(module[:-3]) the init .py files required make python treat directories containing packages; done prevent directories common name, such string, unintentionally hiding v...
Read more