I'm having an issue where only one user can log in at any time. Trying to track down the issue, it seems to be failing during form validation (before getting to ldap - which authenticates successfully). The issue seems to be the CSRF.

Reasons: '{'csrf_token': ['The CSRF session token is missing.']}'

However, I'm supplying the {{ form.csrf_token }} (also tried {{ form.hidden_tag() }}) and I can see the token on the request.form. Is something not getting passed into LDAPLoginForm?

If I run form.validate_ldap() it returns True, but if I just run form.validate() it is False. Username, Password, and CSRF are supplied. I'm following the documentation.

Also tagging azmeuk who might be able to provide some insight as the dev on flask-wtf

Solved - The issue was that the CSRF has to be initialized as described in Flask-WTF CSRF Setup. This should be noted in the docs.

This is a bug in the documentation, so I'm reopening this issue to track that update.

I'm still trying to figure out some issues with the login form where I was getting "Bad Request The CSRF Token has expired". Which seems odd since the login should set the session and CSRF token, but hope to figure that out. Would be great to have an example of how it should work :)

I think I was able to finally resolve my issue, which required adding threads to gunicorn, but this is an issue with flask-wtf as a whole, not flask-ldap3-login. Still good to document the initialization though. :)