For some time now, we have occasionally been receiving an error when users try to submit an EasyForm form. As we run a heavily frequented site, we receive between 4 and 14 issues in Sentry per day due to the error.
We have already tried to reproduce the error with various scenarios, but it seems to occur randomly. Through Sentry, I know that the error occurs for both anonymous and logged-in users, as well as for various forms and form data.
Yesterday, I was lucky enough to have the error occur locally for the first time, and I was able to take a closer look. The token authentication fails in plone.protect.authenticator._verify_request, the X-CSRF-TOKEN from the request is present, but does not match those from the keyring (line 88). If you reload the page and resubmit the form, the error persists. However, if I go back in the browser (from the error page to the EasyForm) and submit it again with the already filled in data, the authentication works.
So far, I have had little to no contact with plone.protect and its surroundings and have not been able to identify the cause of the error, or why the tokens differ in rare cases and the authentication fails. Especially for anonymous users, the error is impractical, as they then get shown a 403 error page. Has anyone else run into this error before or have an idea what could be causing it?
Forbidden: Form authenticator is invalid.
File "ZPublisher/WSGIPublisher.py", line 162, in transaction_pubevents
yield
File "ZPublisher/WSGIPublisher.py", line 371, in publish_module
response = _publish(request, new_mod_info)
File "ZPublisher/WSGIPublisher.py", line 266, in publish
result = mapply(obj,
File "ZPublisher/mapply.py", line 85, in mapply
return debug(object, args, context)
File "ZPublisher/WSGIPublisher.py", line 63, in call_object
return obj(*args)
File "eggs/plone.z3cform-1.1.3-py3.8.egg/plone/z3cform/layout.py", line 63, in __call__
self.update()
File "eggs/plone.z3cform-1.1.3-py3.8.egg/plone/z3cform/layout.py", line 47, in update
self.form_instance.update()
File "eggs/collective.easyform-3.1.1-py3.8.egg/collective/easyform/browser/view.py", line 302, in update
super(EasyFormForm, self).update()
File "eggs/plone.z3cform-1.1.3-py3.8.egg/plone/z3cform/fieldsets/extensible.py", line 65, in update
super(ExtensibleForm, self).update()
File "eggs/plone.z3cform-1.1.3-py3.8.egg/plone/z3cform/patch.py", line 30, in GroupForm_update
_original_GroupForm_update(self)
File "eggs/z3c.form-3.7.1-py3.8.egg/z3c/form/group.py", line 145, in update
self.actions.execute()
File "eggs/plone.app.z3cform-3.2.4-py3.8.egg/plone/app/z3cform/csrf.py", line 21, in execute
CheckAuthenticator(self.request)
File "eggs/plone.protect-4.1.6-py3.8.egg/plone/protect/authenticator.py", line 126, in check
raise Forbidden('Form authenticator is invalid.')