Skip to content

Fix Flask-WTF/Quart-WTF CSRF exemptions broken by backend refactor#3885

Open
T4rk1n wants to merge 1 commit into
devfrom
fix/flask-plugin
Open

Fix Flask-WTF/Quart-WTF CSRF exemptions broken by backend refactor#3885
T4rk1n wants to merge 1 commit into
devfrom
fix/flask-plugin

Conversation

@T4rk1n

@T4rk1n T4rk1n commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

The backend refactor moved callback dispatching from Dash.dispatch into nested closures in the backend modules, changing the view function's fully-qualified name from dash.dash.dispatch to
dash.backends._flask._dispatch. Flask-WTF's CSRFProtect exempts views by that name, so csrf._exempt_views.add("dash.dash.dispatch") silently stopped working, raising "The CSRF token is missing." on every callback.

Restore the dispatch view's identity to dash.dash.dispatch in the Flask and Quart backends so existing exemptions keep working.

Fixes #3827

The backend refactor moved callback dispatching from Dash.dispatch into
nested closures in the backend modules, changing the view function's
fully-qualified name from dash.dash.dispatch to
dash.backends._flask._dispatch. Flask-WTF's CSRFProtect exempts views by
that name, so csrf._exempt_views.add("dash.dash.dispatch") silently
stopped working, raising "The CSRF token is missing." on every callback.

Restore the dispatch view's identity to dash.dash.dispatch in the Flask
and Quart backends so existing exemptions keep working.

Fixes #3827
@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Dash with CSRFProtect from Flask-WTF no longer working after Dash 4.1 to 4.2 upgrade

1 participant