CSRF problem about build-a-saas-app-with-flask HOT 17 CLOSED

Is the same SECRET_KEY being used in instance/settings.py? Because that one is going to "win" vs the one in config/settings.py. If you recently switched the key, you would need to restart your server for it to take effect.

Is it a custom form you've added to the project? Is it being executed via ajax or a regular submission?

CSRF tokens get injected into all forms created with this macro due to L75:
https://github.com/nickjj/build-a-saas-app-with-flask/blob/master/catwatch/templates/macros/form.jinja2#L59

There's also this as well for ajax submissions:
https://github.com/nickjj/build-a-saas-app-with-flask/blob/master/catwatch/templates/layouts/base.jinja2#L12

You will need to adjust your ajax calls to use that meta tag like so:
https://github.com/nickjj/build-a-saas-app-with-flask/blob/master/catwatch/assets/scripts/stripe.js#L115
https://github.com/nickjj/build-a-saas-app-with-flask/blob/master/catwatch/assets/scripts/stripe.js#L80-L89

from build-a-saas-app-with-flask.

its not ajax or custom
just the normal sign in or sign up > csrf token invalid or missing

from build-a-saas-app-with-flask.

Sounds like there might be something wrong in your production environment because it sounds like it's working in development?

from build-a-saas-app-with-flask.

yes it work in development!
but what can be wrong? only SECRET_KEY in settings/instance.py is different
should be defined anywhere else?

from build-a-saas-app-with-flask.

csrf only depend on SECRET_KEY value correct?

from build-a-saas-app-with-flask.

You might be using an old version of the secret_key and you're getting a mismatch. Try restarting Flask.

from build-a-saas-app-with-flask.

i do: sudo systemctl restart docker
still not work, same csrf error

should SECRET_KEY only be in instance/settings.py?

from build-a-saas-app-with-flask.

It should be in both. config/settings.py will be used in development and instance/settings.py will be used in production or any environment where you'd want to protect sensitive data.

from build-a-saas-app-with-flask.

only SECRET_KEY affect CSRF correct?

from build-a-saas-app-with-flask.

also does ssl certificate? because i didn't do that step yet, still unsecured

from build-a-saas-app-with-flask.

Flask-WTF mentions that it uses SECRET_KEY in their docs here: https://flask-wtf.readthedocs.org/en/v0.8.3/#configuring-flask-wtf

Lack of SSL wouldn't effect anything with CSRF warnings/errors.

from build-a-saas-app-with-flask.

unfortunately not work
SECRET_KEY is in instance/settings.py
CSRF error on all form login/signup/issue

any good idea?

from build-a-saas-app-with-flask.

I would need much more detail but it sounds like the code itself is working because it runs fine in development. There must be something in your deploy pipeline that's causing a mix up somewhere.

from build-a-saas-app-with-flask.

i can even see CSRF token in developer tools in browser from production server

correct, code working fine in development, only thing different i can think of in production is settings/instance.py
this (sorry for big post):

ANALYTICS_GOOGLE_UA = 'XXX'

SERVER_NAME = '46.XXX.XXX.XXX'

SECRET_KEY = 'complexpassword'
WTF_CSRF_ENABLED = True
DEBUG = False
LOG_LEVEL = 'INFO'

MAIL_USERNAME = '[email protected]'
MAIL_PASSWORD = 'thebestpasswordyouevermade'

db_uri = 'postgresql://catwatch:bestpassword@postgres:5432/catwatch'
SQLALCHEMY_DATABASE_URI = db_uri
SQLALCHEMY_POOL_SIZE = 25

CACHE_REDIS_URL = 'redis://redis:6379/0'

CELERY_BROKER_URL = 'redis://redis:6379/0'
CELERY_RESULT_BACKEND = 'redis://redis:6379/0'
CELERY_REDIS_MAX_CONNECTIONS = 25

APP_NAME = 'catwatch'

from build-a-saas-app-with-flask.

If it's slowing you down you could disable CSRF as a temporary workaround:
By adding WTF_CSRF_ENABLED = False in instance/settings.py

If that stops the CSRF error then you'll be sure your settings file is being read by the app.

from build-a-saas-app-with-flask.

There's nothing wrong with that config. It's likely due to you changing your secret_key and either not copying a fresh version of this file to your server, or forgetting to restart flask.

Double check everything on your server.

from build-a-saas-app-with-flask.

Closing this as there's an entirely new code base.

from build-a-saas-app-with-flask.