Plone REST API logout problem

I am getting bellows error while calling @logout endpoint. Do I miss some settings or configuration?

ERROR plone.protect Error checking for CSRF. Transaction will be aborted since the request is now unsafe: Traceback (most recent call last): 
File "........./.cache/buildout/eggs/plone.protect-3.0.23-py2.7.egg/plone/protect/auto.py", line 207, in check return self._check() File "............./.cache/buildout/eggs/plone.protect-3.0.23-py2.7.egg/plone/protect/auto.py", line 234, in _check check(self.request, manager=self.key_manager) 
File "................/.cache/buildout/eggs/plone.protect-3.0.23-py2.7.egg/plone/protect/authenticator.py", line 117, in check raise Forbidden('Form authenticator is invalid.') Forbidden: Form authenticator is invalid.

you don't give your Plone version.
I looked a bit at my tests install from the plone-protect version: it's too high for Plone 4 and too low for 5.08; maybe you are running a version 5 but before last released like 5.07? AFAIK plone.protect is 3.1 for plone 5.08.
maybe testing with this version could be useful ?

@gp54321 Thanks for reply. Bellows are details version.

Version Overview
Plone 5.0.8 (5018)
CMF 2.2.10
Zope 2.13.26
Python 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]
PIL 3.3.0 (Pillow)

oh well. I was wrong, I updated plone.protect in my test 5.08 setup without remembering it. You have indeed a stock 5.08 as shipped. Note that changeing it would very probably not do any difference, it is the same in Plone 5.1.

I looked a bit and the logout 'story' 'use case' (as they say) is not totally clear - logout.py is 2 years old in a repo that has seen frantic changes, and this issue has had no reply.

I have not seen a clear way to work around this problem. I tried the following patch and it worked after that, so I'm afraid that it could be a limitation of the current version. OTOH for the linked issue it seemed that the poster had found a way to make it work so I'm not sure.
Anyway you can always just rely on default timeout (if you disable logout in the ZMI)

(plone.restapi.services.auth)

--- logout.py.ori	2018-04-03 08:00:16.847862000 +0000
+++ logout.py	2018-04-03 09:42:36.331879331 +0000
@@ -3,6 +3,9 @@
 from Products.PluggableAuthService.interfaces.plugins import (
     IAuthenticationPlugin)
 from plone.restapi.services import Service
+from zope.interface import alsoProvides
+
+import plone.protect.interfaces
 
 
 class Logout(Service):
@@ -33,7 +36,14 @@
         creds = plugin.extractCredentials(self.request)
         if creds and 'token' in creds and plugin.delete_token(creds['token']):
             self.request.response.setStatus(200)
-            return super(Logout, self).reply()
+            # Disable CSRF protection
+            if 'IDisableCSRFProtection' in dir(plone.protect.interfaces):
+                alsoProvides(self.request,
+                             plone.protect.interfaces.IDisableCSRFProtection)
+            return {
+                'logout': 'success'
+            }
+
 
         self.request.response.setStatus(400)
         return dict(error=dict(type='Logout failed', message="Unknown token"))

Hi there - I updated https://github.com/plone/plone.restapi/issues/521. This post helped.

1 Like