I am seeing similar behavior too for read API (for example get user by email api), master token and _uid are ignored when sending request. The document states that master token can be used, however it doesn't seem to be the case for all APIs.
Missing csrf token
After update NodeBB to version 1.14.2 I have problems with the missing
csrf_tokenin the client js scripts. It's used for ajax submits when uploading a files:
'x-csrf-token': config.csrf_token. Token is set in
The problem is related to the merge made by @barisusakli https://github.com/NodeBB/NodeBB/pull/8367/commits
For some reason added
middleware.applyCSRFis not worked as it should be and csrf token is not applied to the config (missing in the
After revert the code to the state before this changes - it's working.
I don't know if this is a bug or just a situation related to my forum/nginx (test env)/apache (prod env) configuration.
Can I ask about help to solve this issue? Let me know if I can provide any additional logs/details related to the case. Thanks!
Please open an issue on GitHub for bugs like this
Which route are you making a request to?
@baris Probably I got the problem (or rather problems).
Homepage for my forum is set to custom page based on plugin:
Sadly it looks that it's missing applying csrf token, so in the situation when custom page is loaded first - each next loaded dynamically (without page refresh) will be without csrf token (until user refresh forum on other page, like topic or categories).
It could be easier to catch, but in my case there was also that my file upload was in the custom plugin with own route. And I was creating it like:
router.get('/groups/:slug/lesson/:lessonId/:name', middleware.buildHeader, lessonController.render); router.get('/api/groups/:slug/lesson/:lessonId/:name', lessonController.render);
instead of using helper:
const routesHelpers = require.main.require('./src/routes/helpers'); routesHelpers.setupPageRoute(app, '/groups/:slug/lesson/:lessonId/:name', middleware, , lessonController.render);
It would be great if you can confirm that
nodebb-plugin-custom-pagesreally could make the trouble, thanks!
Yeah either use helpers.setupPageRoute which calls applyCSRF or if you are doing it manually use the csrf middleware. helpers.setupPageRoute uses quite a bit of middlewares see here