Expected behavior of flask-WTForms?

Question

I have just started with Flask and is trying to make a login form but flask-wtf/WTForm seems to lose the password field somehow when the response form is instantiated. My form look like this

from flask_wtf import Form
from wtforms import StringField, PasswordField
from wtforms.validators import DataRequired

class LoginForm(Form):
    name = StringField('name', validators=[DataRequired()])
    password = PasswordField('password', validators=[DataRequired()])

    def validate_password(self, field):
        print "password field is {}".format(field)

And the view look like this:

@app.route('/login', methods=['GET', 'POST'])
def login():
    form = LoginForm(request.form)
    if form.validate_on_submit():
        print "** new request"
        print "request.values = {}".format(request.values)
        print "request.form = {}".format(request.form)
        print "form.name = {}".format(form.name)
        print "form.password = {}".format(form.password)
        print "form.csrf_token = {}".format(form.csrf_token)
        # do stuff with form.name and form.password and then render_template as appropiate
    return render_template('login.html', form=form)

When the client is posting the login form the program prints this:

password field is <input id="password" name="password" type="password" value=""> # <-- value is empty!
** new request
request.values = CombinedMultiDict([ImmutableMultiDict([]),     ImmutableMultiDict([('csrf_token',   u'1444574310##420f08dc670febba20d0a4dfd9085e5f6ad4dded'), ('password', u'hemlis'), ('name', u'kalle')])])
request.form = ImmutableMultiDict([('csrf_token', u'1444574310##420f08dc670febba20d0a4dfd9085e5f6ad4dded'), ('password', u'hemlis'), ('name', u'kalle')])
form.name = <input id="name" name="name" type="text" value="kalle">
form.password = <input id="password" name="password" type="password" value=""> # <-- value is empty!
form.csrf_token = <input id="csrf_token" name="csrf_token" type="hidden" value="1444574315##24eca44ce86f86523ddf9d138f07fc306ed77a96">

The value of the password field is missing even if it managed to get the values for name and csrf_token. If I change the type if the password field to StringField the password value get picked up by the form as expected but that is not a satisfying workaround! :-)

Should I do something more here to get the password field because security, or is this a bug somewhere?

Also, here is my requirement.txt

bcrypt==2.0.0
BeautifulSoup==3.2.1
blinker==1.4
cffi==1.2.1
Flask==0.10.1
Flask-Login==0.3.2
Flask-Mail==0.9.1
Flask-Principal==0.4.0
Flask-WTF==0.12
itsdangerous==0.24
Jinja2==2.8
Markdown==2.6.2
MarkupSafe==0.23
micawber==0.3.3
passlib==1.6.5
peewee==2.6.4
pycparser==2.14
six==1.10.0
Werkzeug==0.10.4
wheel==0.24.0
WTForms==2.0.2

Answer 1

When you ask for form.password you're actually asking for the HTML representation of that object, in terms of a PasswordField including the previously entered data in that HTML element would be a pretty bad security hole as the password could be viewed by just having a look at the HTML source code (either locally, or more likely someone monitoring over a shared unsecured wifi network)

To view the data that is included in a submitted form element, use the .data property, such as form.password.data .