"csrf-invalid"

? Offline

I can't seem to figure out why NodeBB keeps returning "csrf-invalid".
The forum runs perfectly fine, but when navigating to any page, returns an alert
It looks like your login session is no longer active, or no longer matches with the server. Please refresh this page.
Logging in only gives
We were unable to log you in, likely due to an expired session. Please try again
And ./nodebb log only provides not very descriptive errors like

error: /login
invalid csrf token

Nodebb: 1.12.1 (041cde4dbce64c8f748c81800fac8f6738bf0005)
NodeBB

{
    "url": "https://cpos.ml",
    "secret": "secretse-cret-secr-etse-cretsecretse",
    "bind_address": "127.0.0.1",
    "database": "mongo",
    "port": "4567",
    "mongo": {
        "host": "127.0.0.1",
        "port": "27017",
        "username": "nodebb",
        "password": "**********",
        "database": "nodebb",
        "uri": ""
    }
}

Nginx

server {
    listen 80;
    server_name cpos.ml;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded_Proto https;
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header Host $host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:4567;
        proxy_redirect off;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/cpos.ml/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cpos.ml/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
    if ($host = cpos.ml) {
        return 301 https://$host$request_uri;
    }
    listen 80;

    server_name cpos.ml;
    return 404;
}

Could anybody please maybe point out something that may be causing the issue?

PitaJ

First of all, you have a listen 80 and a listen 443 ssl in your nginx config. Also you have X-Forwarded_Proto instead of X-Forwarded-Proto. Also you have $host instead of $http_host (though that's probably not important)

scottalanmiller

@PatheticMustan you appear to be missing your socket.io section of your config.json file. Like this...

    "socket.io": {
        "origins": "*:*" }

That goes directly before your final closing brace.

? Offline

Don't know which one fixed it, but after these suggestions, the forum works again! Thank you so much!

PitaJ

@PatheticMustan please try removing the config.json socket.io option. It's dangerous. More information here: https://community.nodebb.org/topic/13388/faq-websockets-not-working-due-to-misconfigured-origins

scottalanmiller

@PatheticMustan said in "csrf-invalid":

Don't know which one fixed it, but after these suggestions, the forum works again! Thank you so much!

Teamwork!

? Offline

@PitaJ said in "csrf-invalid":

@PatheticMustan please try removing the config.json socket.io option. It's dangerous. More information here: https://community.nodebb.org/topic/13388/faq-websockets-not-working-due-to-misconfigured-origins

Thanks for the tip! I have since removed it, and it still works