It's due to a breaking change in 3.xReplace csurf with csrf-sync by psibean · Pull Request #11237 · NodeBB/NodeBB
I'm the author of csrf-sync, this is my first time looking through the NodeBB codebase. As a result of trying to get csrf-sync to work with NodeBB, I ended up making a few improvements to csrf-sync and releasing v4, this makes csrf-sync's default behavior much similar to csurf, without compromising security, but also making it much more plug-and-play during replacement. I have gotten this working locally. As per the contribution guide, I tried running npm test and 8 tests passed, then one failed: error [user.create] Validation email failed to send But the contribution guide does not detail how the email should be configured for testing. and I shouldn't have to configure an actual emailer to run the tests, imo. This should fix issue #11046 . I manually tested by running via grunt, logging in as a user, creating a new user, logging in as that user in another browser session, then sending chats between the users. No CSRF errors were encountered and tokens were included in the requests as expected. Please note this PR currently assumes that the csrf token is always expected to be in the header. This PR will NOT work if there are cases where the token is submitted inside the request body. If there are cases where the token is submitted via the request body instead of the header, please let me know and I can update the PR.favicon
GitHub (github.com), plugins that use req.csrfToken() will need to be updated.