CSRF Issue

Shard

I'm working on my first plugin and have based it strongly on the imgur plugin to use Rackspace Cloudfiles for storage.

The code seems to work fine if I use it for a category image but I get an invalid CSRF response if I do it in a topic.

Ring any bells?

Shard

I hate to, but.

Bump?

julian

Were you trying to upload an image to a topic when this happened? Odd...

Shard

Initially, yes. It would work for category images, however.

A couple of bits of code tests and a git pull later, I was getting it in the control panel for category images as well.

julian

Hm... the plugins shouldn't really touch anything on the front-end where CSRF tokens are handled. Can you try with the latest code in master?

a_5mith

@julian said:

Can you try with the latest code in master?

gh#2359, might run into this issue though.

Shard

Well, I'm back to having different results between the Categories image upload and the Topic Post Upload.

Categories is giving me an invalid image path - which I expect is an issue with my code rather than elsewhere, but I still have this - from a dev run:

2014-11-07T17:15:25.533Z - info: [plugins] Problem executing hook: filter:uploadImage err: {}
2014-11-07T17:16:36.416Z - error: /api/post/upload
Error: invalid csrf token
at module.exports (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/node_modules/http-errors/index.js:32:16)
at verifytoken (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/index.js:237:11)
at csrf (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/index.js7)
at Layer.handle [as handle_request] (/mnt/Extra/home/me/Projects/NodeBB/node_modules/express/lib/router/layer.js:82:5)
at next (/mnt/Extra/home/me/Projects/NodeBB/node_modules/express/lib/router/route.js13)
at Form.<anonymous> (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/index.js:101:9)
at Form.emit (events.js:117:20)
at maybeClose (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:557:10)
at endFlush (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:552:3)
at WriteStream.<anonymous> (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:617:5)

Xiph

@Shard said:

Well, I'm back to having different results between the Categories image upload and the Topic Post Upload.

Categories is giving me an invalid image path - which I expect is an issue with my code rather than elsewhere, but I still have this - from a dev run:

2014-11-07T17:15:25.533Z - info: [plugins] Problem executing hook: filter:uploadImage err: {}
2014-11-07T17:16:36.416Z - error: /api/post/upload
Error: invalid csrf token
at module.exports (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/node_modules/http-errors/index.js:32:16)
at verifytoken (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/index.js:237:11)
at csrf (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/index.js7)
at Layer.handle [as handle_request] (/mnt/Extra/home/me/Projects/NodeBB/node_modules/express/lib/router/layer.js:82:5)
at next (/mnt/Extra/home/me/Projects/NodeBB/node_modules/express/lib/router/route.js13)
at Form.<anonymous> (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/index.js:101:9)
at Form.emit (events.js:117:20)
at maybeClose (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:557:10)
at endFlush (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:552:3)
at WriteStream.<anonymous> (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:617:5)

Perhaps this might be related?

Shard

My other issue seems to be from a code chunk inherited from the imgur plugin.

It seems the imgur plugin has it as well. I wonder if this is something simple with my setup - where does node put the temporary uploaded file?

Shard

@Xiph Thank you!

That gave me 99% of what I needed on the admin control - it's uploading again but not catching the success yet. That's on me. The imgur plugin that is rferenced doesn't seem to have been updated - or I was managing to just look at a specific version in github.

The user side has not changed.

Shard

Still no love on the CSRF. Did get this new error on the admin:

2014-11-10T02:50:23.238Z - error: /admin/category/uploadpicture
Error: Failed to lookup view "admin/footer" in views directory "/mnt/Extra/home/dbolack/Projects/NodeBB/public/templates"
at EventEmitter.app.render (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/express/lib/application.js:519:17)
at /mnt/Extra/home/dbolack/Projects/NodeBB/src/middleware/admin.js:103:8
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:570:21
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:249:17
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:125:13
at Array.forEach (native)
at _each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:46:24)
at async.each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:124:9)
at _asyncMap (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:248:13)
at Object.map (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:219:23)

Which baffles because the file was there and not weirdly perm'd.

So I did a pull - perhaps unwise. All plugins now are having issue with: app.get('/admin/plugins/rscloudfiles', middleware.applyCSRF, middleware.admin.buildHeader, renderAdmin);

TypeError: Cannot read property 'buildHeader' of undefined
at Object.rscloudfiles.init [as method] (/mnt/Extra/home/dbolack/Projects/nodebb-plugin-rscloudfiles/index.js:61:80)
at /mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:456:13
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:125:13
at Array.forEach (native)
at _each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:46:24)
at Object.async.each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:124:9)
at fireStaticHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:454:9)
at Object.Plugins.fireHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:410:5)
at Plugins.reloadRoutes (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:132:11)
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:656:23

a_5mith

@Shard gh#2374

Shard

Hmm.

So is that a sit and wait for documentation, or is the middleware in the nodebb-essentials checkout?

a_5mith

@Shard It was in relation to the buildHeader error you received. It has now been fixed. Should be able to pull and upgrade again.

Shard

@a_5mith Well, I hate to report, but that is not the case.

2014-11-10T17:25:51.352Z - error: TypeError: Cannot read property 'buildHeader' of undefined
at Object.rscloudfiles.init [as method] (/mnt/Extra/home/dbolack/Projects/nodebb-plugin-rscloudfiles/index.js:61:80)
at /mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:456:13
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:125:13
at Array.forEach (native)
at _each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:46:24)
at Object.async.each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:124:9)
at fireStaticHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:454:9)
at Object.Plugins.fireHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:410:5)
at Plugins.reloadRoutes (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:132:11)
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:656:23
TypeError: Cannot read property 'buildHeader' of undefined
at Object.rscloudfiles.init [as method] (/mnt/Extra/home/dbolack/Projects/nodebb-plugin-rscloudfiles/index.js:61:80)
at /mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:456:13
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:125:13
at Array.forEach (native)
at _each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:46:24)
at Object.async.each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:124:9)
at fireStaticHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:454:9)
at Object.Plugins.fireHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:410:5)
at Plugins.reloadRoutes (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:132:11)
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:656:23

This might help:

[dbolack@hidden NodeBB]$ git rev-parse HEAD
91103fb09e6e29e34651baddbd5a80d2f8c9f670

a_5mith

You will need to update nodebb-plugin-rscloudfiles. There are changes to 0.6.0 that require some minor tweaks.

I couldn't find your plugin on github, but if you look here, these are what you need to change to get your app working in 0.6.0+

You should also add the 0.6.0 compatability bits into your package.json file.

Shard

@a_5mith

Aha. I was using the imgur plugin as a reference - which hadn't been updated on my last check ( admittedly, last night ) which explains this particular omission.

Thank you. Maybe this will fix the CRSF issue as well.

Shard

@a_5mith

That was indeed the issue there. Now I'm back to my previous levels of broken.

https://github.com/dbolackrs/nodebb-plugin-rscloudfiles is the plugin.

I still get this oddity. 2014-11-10T17:53:09.403Z - error: /admin/category/uploadpicture
Error: Failed to lookup view "admin/header" in views directory "/mnt/Extra/home/dbolack/Projects/NodeBB/public/templates"
at EventEmitter.app.render (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/express/lib/application.js:519:17)
at /mnt/Extra/home/dbolack/Projects/NodeBB/src/middleware/admin.js:86:10
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:592:17
at done (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:135:19)
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:32:16
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:589:21
at /mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:434:4
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:277:13
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:157:25
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:274:17

Followed by

2014-11-10T17:53:09.513Z - error: /500
Error: Failed to lookup view "footer" in views directory "/mnt/Extra/home/dbolack/Projects/NodeBB/public/templates"
at EventEmitter.app.render (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/express/lib/application.js:519:17)
at Object.async.parallel.footer (/mnt/Extra/home/dbolack/Projects/NodeBB/src/middleware/middleware.js:205:8)
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:583:25
at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:125:13
at Array.forEach (native)
at _each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:46:24)
at Object.async.each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:124:9)
at _parallel (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:582:20)
at Object.async.parallel (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:598:9)
at middleware.buildHeader (/mnt/Extra/home/dbolack/Projects/NodeBB/src/middleware/middleware.js:200:8)