Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
False
-
False
-
Undefined
-
0
Description
This is because we use two different CSRF tokens for normal API calls and OAUTH calls. The oauth token is set by the `/externallogin/<provider>` endpoint and is set as an encrypted flask cooke. However, v1 api calls set the cookie as a JWT token. The order of API calls now makes a difference because the cookie from one gets overwritten by the other.
When making the oauth call to the external provider. If we have the wrong session cookie, the CSRF validation fails when the callback URL is sent to the backend with the cookie containing the wrong CSRF token.
To fix this we must force users to go to the `/signin` page which makes sure that the last API call that happens is the `/externallogin/<provider>` which sets the correct cooke before redirecting to the external provider