Fix auth.py: anti-forgery token JSON parsing + missing CSRF header + FormsAuthReturnUrl #2

Closed
opened 2026-05-21 22:06:38 +00:00 by shawn · 0 comments
Owner

Bugs fixed

  1. _get_anti_forgery_state was treating JSON response as raw text — now correctly parses Token from JSON
  2. _do_login was missing __RequestVerificationToken header required by ASP.NET anti-CSRF
  3. _do_login was missing FormsAuthReturnUrl in the login POST body
  4. AuthSession didn't store password — refresh() would fail if env vars weren't set
  5. Added NotVerifiedUserEmail error handling from login API response

Tests

  • 27 unit tests in tests/test_auth.py using respx — all pass

Files changed

  • src/auth.py, tests/test_auth.py, requirements.txt
## Bugs fixed 1. **_get_anti_forgery_state** was treating JSON response as raw text — now correctly parses Token from JSON 2. **_do_login** was missing __RequestVerificationToken header required by ASP.NET anti-CSRF 3. **_do_login** was missing FormsAuthReturnUrl in the login POST body 4. **AuthSession** didn't store password — refresh() would fail if env vars weren't set 5. Added **NotVerifiedUserEmail** error handling from login API response ## Tests - 27 unit tests in tests/test_auth.py using respx — all pass ## Files changed - src/auth.py, tests/test_auth.py, requirements.txt
shawn closed this issue 2026-05-21 22:06:54 +00:00
Sign in to join this conversation.
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: shawn/cantaloupe-downloader#2