Fix Flask Invalid CSRF token message on Wazo PBX login

Today I was trying to sign into an instance of Wazo that I am responsible for and login to the Wazo Admin UI was failing in Firefox. At the login splash screen, when I’d enter my credentials I got no warnings, no message that the credentials were incorrect — but the username and password blanks simply cleared, and the login page was again presented. I knew the credentials were correct., and verified that they were by viewing the appropriate records in SQL, like so:

root@pbx:~# su - postgres
postgres@pbx:~$ psql asterisk
asterisk=# select * from "user";

This shows you the usernames and passwords to the Wazo admin UI in plain text; and I was able to easily verify that I was using the correct credentials. (To exit the psql prompt, type \q and press Enter; then type exit to leave the postgres user account and go back to root.) I also discovered that I could log in just fine using Chrome.

Note that if you want to change the password, you can do so with an SQL command:

sudo -u postgres psql -c "update \"user\" set passwd = 'MyScaryPassword!' where login = 'root'" asterisk

Being a Firefox type of person I wasn’t satisfied to just use Chrome, and went digging for answers.

tail -f /var/log/wazo-admin-ui.log

Tailing the Wazo Admin UI log (command above) revealed this line when trying to log in to Wazo via Firefox:

(INFO) (flask_wtf.csrf): The CSRF tokens to not match.

That gave me a specific error message to go to DuckDuckGo with. Using the clue that this was a Flask error, and not a specific Wazo problem, I searched accordingly; and came across this helpful article.

In my /etc/hosts file there were these entries (our actual hostname replaced with       localhost        localhost.localdomain   pbx

Comments at the top of the file warned me not to edit this file by hand because the Wazo services will over-write manual changes. I decided to give it a go anyhow and see what would happen; and figure out how to change the Wazo settings that write this file later if need be. So I changed the second line’s IP address from to the actual LAN IP address of the PBX and for lack of knowing what services may need to be restarted (wazo-service restart didn’t do it), simply rebooted the system.

And, voila! I logged in via Firefox successfully.

Funny thing is, I’ve checked /etc/hosts again and it’s back to what it had been earlier — my manual change has been over-written. But login still works. Why it does, or why it didn’t before then, I can’t say for sure. At least I have something to try if it breaks again.

You may also like...

Leave a Reply