I am getting bellows error while calling @logout endpoint. Do I miss some settings or configuration?
ERROR plone.protect Error checking for CSRF. Transaction will be aborted since the request is now unsafe: Traceback (most recent call last):
File "........./.cache/buildout/eggs/plone.protect-3.0.23-py2.7.egg/plone/protect/auto.py", line 207, in check return self._check() File "............./.cache/buildout/eggs/plone.protect-3.0.23-py2.7.egg/plone/protect/auto.py", line 234, in _check check(self.request, manager=self.key_manager)
File "................/.cache/buildout/eggs/plone.protect-3.0.23-py2.7.egg/plone/protect/authenticator.py", line 117, in check raise Forbidden('Form authenticator is invalid.') Forbidden: Form authenticator is invalid.
you don't give your Plone version.
I looked a bit at my tests install from the plone-protect version: it's too high for Plone 4 and too low for 5.08; maybe you are running a version 5 but before last released like 5.07? AFAIK plone.protect is 3.1 for plone 5.08.
maybe testing with this version could be useful ?
oh well. I was wrong, I updated plone.protect in my test 5.08 setup without remembering it. You have indeed a stock 5.08 as shipped. Note that changeing it would very probably not do any difference, it is the same in Plone 5.1.
I looked a bit and the logout 'story' 'use case' (as they say) is not totally clear - logout.py is 2 years old in a repo that has seen frantic changes, and this issue has had no reply.
I have not seen a clear way to work around this problem. I tried the following patch and it worked after that, so I'm afraid that it could be a limitation of the current version. OTOH for the linked issue it seemed that the poster had found a way to make it work so I'm not sure.
Anyway you can always just rely on default timeout (if you disable logout in the ZMI)
(plone.restapi.services.auth)
--- logout.py.ori 2018-04-03 08:00:16.847862000 +0000
+++ logout.py 2018-04-03 09:42:36.331879331 +0000
@@ -3,6 +3,9 @@
from Products.PluggableAuthService.interfaces.plugins import (
IAuthenticationPlugin)
from plone.restapi.services import Service
+from zope.interface import alsoProvides
+
+import plone.protect.interfaces
class Logout(Service):
@@ -33,7 +36,14 @@
creds = plugin.extractCredentials(self.request)
if creds and 'token' in creds and plugin.delete_token(creds['token']):
self.request.response.setStatus(200)
- return super(Logout, self).reply()
+ # Disable CSRF protection
+ if 'IDisableCSRFProtection' in dir(plone.protect.interfaces):
+ alsoProvides(self.request,
+ plone.protect.interfaces.IDisableCSRFProtection)
+ return {
+ 'logout': 'success'
+ }
+
self.request.response.setStatus(400)
return dict(error=dict(type='Logout failed', message="Unknown token"))