invalid CSRF token during registration
-
We got some complaints from new users that right after registration, they get an error and see a blank "forbidden" page with a link like this:
register/complete/?_csrf=XXXXXX
however when one person deleted the part ?_csrf=XXXXXX... and click the link, he was able to log in... After looking at the logs, I can see these mistakes happening frequently...
we are currently using 1.18.6, should we upgrade to 1.19 to eliminate these errors?
2022-01-17T14:48:29.084Z [4567/26963] - [31merror[39m: /forum/register/complete/ invalid csrf token 2022-01-17T16:30:54.666Z [4569/26966] - [31merror[39m: /forum/logout invalid csrf token 2022-01-17T16:31:59.605Z [4567/26963] - [31merror[39m: /assets/uploads/files/119/1503486526413eyalet-di%C5%9F-okulu-bilgisi.png Error: Login sessions require session support. Did you forget to use `express-session` middleware? at SessionStrategy.authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/strategies/session.js:46:41) at attempt (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:369:16) at authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:370:7) at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:323:13) at /home/fsuzer/nodebb/node_modules/express/lib/router/index.js:284:7 at Function.process_params (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:341:12) at next (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:275:10) at initialize (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/initialize.js:89:5) at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5) 2022-01-17T16:36:01.474Z [4567/26963] - [31merror[39m: /forum/api/v3/users/14305/follow invalid csrf token 2022-01-17T16:48:11.040Z [4568/26964] - [31merror[39m: notifications.getCount Error: revalidate-failure at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9) at runMicrotasks (<anonymous>) at processTicksAndRejections (node:internal/process/task_queues:96:5) at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3) 2022-01-17T16:53:59.303Z [4568/26964] - [31merror[39m: /forum/register/complete/ invalid csrf token 2022-01-17T17:00:00.011Z [4568/26964] - [32minfo[39m: [user/jobs] Did not send digests (day) because subscription system is disabled. 2022-01-17T17:00:00.024Z [4567/26963] - [32minfo[39m: [user/jobs] Did not send digests (day) because subscription system is disabled. 2022-01-17T17:00:43.621Z [4568/26964] - [33mwarn[39m: [deprecated] at SocketTopics.getTopic (/home/fsuzer/nodebb/src/socket.io/topics.js:99:10) at wrapperCallback (/home/fsuzer/nodebb/src/promisify.js:46:11) at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:160:25) use GET /api/v3/topics/:tid 2022-01-17T17:00:45.320Z [4568/26964] - [33mwarn[39m: [deprecated] at SocketTopics.getTopic (/home/fsuzer/nodebb/src/socket.io/topics.js:99:10) at wrapperCallback (/home/fsuzer/nodebb/src/promisify.js:46:11) at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:160:25) use GET /api/v3/topics/:tid 2022-01-17T17:59:34.773Z [4568/26964] - [31merror[39m: /forum/logout invalid csrf token 2022-01-17T17:59:37.207Z [4568/26964] - [31merror[39m: /forum/logout invalid csrf token 2022-01-17T18:01:04.641Z [4568/26964] - [31merror[39m: /forum/logout invalid csrf token 2022-01-17T18:04:22.743Z [4570/26972] - [31merror[39m: /assets/uploads/files/207/1546969176845e868e8b4-0b1b-4cee-9aef-c3b6b1ecdf3b-image.png Error: Login sessions require session support. Did you forget to use `express-session` middleware? at SessionStrategy.authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/strategies/session.js:46:41) at attempt (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:369:16) at authenticate (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/authenticate.js:370:7) at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:323:13) at /home/fsuzer/nodebb/node_modules/express/lib/router/index.js:284:7 at Function.process_params (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:341:12) at next (/home/fsuzer/nodebb/node_modules/express/lib/router/index.js:275:10) at initialize (/home/fsuzer/nodebb/node_modules/passport/lib/middleware/initialize.js:89:5) at Layer.handle [as handle_request] (/home/fsuzer/nodebb/node_modules/express/lib/router/layer.js:95:5) 2022-01-17T18:05:04.276Z [4567/26963] - [31merror[39m: meta.rooms.leaveCurrent Error: revalidate-failure at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9) at runMicrotasks (<anonymous>) at processTicksAndRejections (node:internal/process/task_queues:96:5) at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3) 2022-01-17T18:06:06.006Z [4568/26964] - [31merror[39m: /forum/register/complete/ invalid csrf token 2022-01-17T18:07:48.857Z [4568/26964] - [31merror[39m: plugins.browsingUsers.getBrowsingUsers Error: revalidate-failure at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9) at runMicrotasks (<anonymous>) at processTicksAndRejections (node:internal/process/task_queues:96:5) at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3) 2022-01-17T18:08:15.486Z [4568/26964] - [31merror[39m: /forum/register/complete/ invalid csrf token 2022-01-17T18:08:46.586Z [4568/26964] - [31merror[39m: meta.rooms.leaveCurrent Error: revalidate-failure at validateSession (/home/fsuzer/nodebb/src/socket.io/index.js:208:9) at runMicrotasks (<anonymous>) at processTicksAndRejections (node:internal/process/task_queues:96:5) at onMessage (/home/fsuzer/nodebb/src/socket.io/index.js:153:3)
-
this is our nginx config file:
upstream io_nodes { ip_hash; server 127.0.0.1:4567; server 127.0. - Pastebin.com
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Pastebin (pastebin.com)
this is our nodebb config file:
{ "url": "https://forum.com/forum", "secret": "some-secret", "dat - Pastebin.com
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Pastebin (pastebin.com)
-
additionally, the main site is WordPress, and NodeBB is installed at /forum
-
I suggest updating to 1.19.0 and applying this change as well https://github.com/NodeBB/NodeBB/commit/e9ee843b274b1e1f38b992650f3f74f940a20a49.
After that users might have to clear their cookies and refresh their browsers. Let us know if they still experience csrf errors after those changes.