Skip to content

Fix Flask-WTF/Quart-WTF CSRF exemptions broken by backend refactor#3885

Merged
T4rk1n merged 4 commits into
devfrom
fix/flask-plugin
Jul 14, 2026
Merged

Fix Flask-WTF/Quart-WTF CSRF exemptions broken by backend refactor#3885
T4rk1n merged 4 commits into
devfrom
fix/flask-plugin

Conversation

@T4rk1n

@T4rk1n T4rk1n commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

The backend refactor moved callback dispatching from Dash.dispatch into nested closures in the backend modules, changing the view function's fully-qualified name from dash.dash.dispatch to
dash.backends._flask._dispatch. Flask-WTF's CSRFProtect exempts views by that name, so csrf._exempt_views.add("dash.dash.dispatch") silently stopped working, raising "The CSRF token is missing." on every callback.

Restore the dispatch view's identity to dash.dash.dispatch in the Flask and Quart backends so existing exemptions keep working.

Fixes #3827

The backend refactor moved callback dispatching from Dash.dispatch into
nested closures in the backend modules, changing the view function's
fully-qualified name from dash.dash.dispatch to
dash.backends._flask._dispatch. Flask-WTF's CSRFProtect exempts views by
that name, so csrf._exempt_views.add("dash.dash.dispatch") silently
stopped working, raising "The CSRF token is missing." on every callback.

Restore the dispatch view's identity to dash.dash.dispatch in the Flask
and Quart backends so existing exemptions keep working.

Fixes #3827

@camdecoster camdecoster left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you need to add a similar fix for fastapi?

Comment thread CHANGELOG.md Outdated
Co-authored-by: Cameron DeCoster <cameron.decoster@gmail.com>
@T4rk1n

T4rk1n commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

Do you need to add a similar fix for fastapi?

No, fastapi uses a different system that is middleware based.

@sonarqubecloud

Copy link
Copy Markdown

@T4rk1n T4rk1n merged commit 8c72a5f into dev Jul 14, 2026
30 checks passed
@T4rk1n T4rk1n deleted the fix/flask-plugin branch July 14, 2026 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Dash with CSRFProtect from Flask-WTF no longer working after Dash 4.1 to 4.2 upgrade

2 participants