pythonflaskflask-wtformsflask-jwt-extended

FlaskForm, JWT Extended


Looking for some help, clarity and to maybe get pointed in the right direction regarding python flask wtforms and flask jwt extended.

I have a login route that works just fine. My protected GET routes work fine as well. However, when I submit a post request, I get this error: flask_jwt_extended.exceptions.CSRFError: Missing CSRF token

My session has the csrf token because of flaskform. My cookie storage has csrf_access_token as well.

It works for unprotected routes like login and contact.

# Login
@app.route('/login', methods=['GET', 'POST'])
def login():

    form=LoginForm()

    print(session)

    if form.validate_on_submit():

        data = request.form
        email = data['email']
        password = data['password']

        user = User.query.filter_by(email=email).first()

        if user and check_password_hash(user.password, password):

            # # Check if user verified their email
            # if user.email_verified == False:
            #     # Allow user to request another email
            #     return redirect(url_for('verify_email'))

            access_token = create_access_token(identity=user.id)
            refresh_token = create_refresh_token(identity=user.id)

            # Update last_login_datea
            user.last_login = datetime.utcnow()
            db.session.commit()

            response = make_response(redirect(url_for('solarsearch')))
            response.set_cookie('access_token_cookie', access_token)  # set the token as a cookie
            response.set_cookie('refresh_token_cookie', refresh_token)  # set the refresh token as a cookie     

            session['logged_in'] = True
            session['login_message'] = None

            return response

However, for a route like this;

@jwt_required_and_not_revoked
    def post(self):
        form = SolarSearchForm()

        print(form)

        if form.validate_on_submit():

It just fails and throws missing csrf token.

I'm starting to wonder if there's a mix-up somewhere but unsure how to begin debugging.


Solution

  • Removed JWT CSRF Protection app.config['JWT_COOKIE_CSRF_PROTECT'] = False # Enable CSRF protection for cookies

    This solved my issue. Only using FlaskForm CSRF protection now.