You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When attempting to access a view that is protected by the @fresh_login_required decorator via FlaskLoginClient a 401 error is raised, even though the session's _fresh property is set to True by FlaskLoginClient.
To Reproduce
Steps to reproduce the behavior:
Create a Flask view function decorated with @fresh_login_required
Create a FlaskLoginClient and try to access /myview:
app.test_client_class=FlaskLoginClientwithapp.test_client(user=my_user_obj, fresh_login=True) asclient:
response=client.get("/myview")
assertresponse.status_code==200# fails because 401 != 200
401 Unauthorized is returned even though session["_fresh"] is set to True
Expected behavior
The view function should be accessible, i.e. return a 200 OK because we have specified that the current session should be fresh.
Speculative explanation FlaskLoginClient doesn't set _id on the session so when the fresh_login_required function accesses current_user on line 309 in utils.py, LoginManager._load_user is called which runs LoginManager._session_protection_failed which cannot find the _id property on session thus setting sess["_fresh"] = False.
See also issue #569 which discusses the behavior of invalidating a session when _id is not found.
The text was updated successfully, but these errors were encountered:
Describe the bug
When attempting to access a view that is protected by the
@fresh_login_required
decorator viaFlaskLoginClient
a401
error is raised, even though the session's_fresh
property is set toTrue
byFlaskLoginClient
.To Reproduce
Steps to reproduce the behavior:
@fresh_login_required
FlaskLoginClient
and try to access/myview
:401 Unauthorized
is returned even thoughsession["_fresh"]
is set toTrue
Expected behavior
The view function should be accessible, i.e. return a
200 OK
because we have specified that the current session should be fresh.Speculative explanation
FlaskLoginClient
doesn't set_id
on the session so when thefresh_login_required
function accessescurrent_user
on line 309 inutils.py
,LoginManager._load_user
is called which runsLoginManager._session_protection_failed
which cannot find the_id
property on session thus settingsess["_fresh"] = False
.See also issue #569 which discusses the behavior of invalidating a session when
_id
is not found.The text was updated successfully, but these errors were encountered: