For some time now, we have occasionally been receiving an error when users try to submit an EasyForm form. As we run a heavily frequented site, we receive between 4 and 14 issues in Sentry per day due to the error.
We have already tried to reproduce the error with various scenarios, but it seems to occur randomly. Through Sentry, I know that the error occurs for both anonymous and logged-in users, as well as for various forms and form data.
Yesterday, I was lucky enough to have the error occur locally for the first time, and I was able to take a closer look. The token authentication fails in plone.protect.authenticator._verify_request, the X-CSRF-TOKEN from the request is present, but does not match those from the keyring (line 88). If you reload the page and resubmit the form, the error persists. However, if I go back in the browser (from the error page to the EasyForm) and submit it again with the already filled in data, the authentication works.
So far, I have had little to no contact with plone.protect and its surroundings and have not been able to identify the cause of the error, or why the tokens differ in rare cases and the authentication fails. Especially for anonymous users, the error is impractical, as they then get shown a 403 error page. Has anyone else run into this error before or have an idea what could be causing it?
Forbidden: Form authenticator is invalid. File "ZPublisher/WSGIPublisher.py", line 162, in transaction_pubevents yield File "ZPublisher/WSGIPublisher.py", line 371, in publish_module response = _publish(request, new_mod_info) File "ZPublisher/WSGIPublisher.py", line 266, in publish result = mapply(obj, File "ZPublisher/mapply.py", line 85, in mapply return debug(object, args, context) File "ZPublisher/WSGIPublisher.py", line 63, in call_object return obj(*args) File "eggs/plone.z3cform-1.1.3-py3.8.egg/plone/z3cform/layout.py", line 63, in __call__ self.update() File "eggs/plone.z3cform-1.1.3-py3.8.egg/plone/z3cform/layout.py", line 47, in update self.form_instance.update() File "eggs/collective.easyform-3.1.1-py3.8.egg/collective/easyform/browser/view.py", line 302, in update super(EasyFormForm, self).update() File "eggs/plone.z3cform-1.1.3-py3.8.egg/plone/z3cform/fieldsets/extensible.py", line 65, in update super(ExtensibleForm, self).update() File "eggs/plone.z3cform-1.1.3-py3.8.egg/plone/z3cform/patch.py", line 30, in GroupForm_update _original_GroupForm_update(self) File "eggs/z3c.form-3.7.1-py3.8.egg/z3c/form/group.py", line 145, in update self.actions.execute() File "eggs/plone.app.z3cform-3.2.4-py3.8.egg/plone/app/z3cform/csrf.py", line 21, in execute CheckAuthenticator(self.request) File "eggs/plone.protect-4.1.6-py3.8.egg/plone/protect/authenticator.py", line 126, in check raise Forbidden('Form authenticator is invalid.')