Missing csrf token
-
After update NodeBB to version 1.14.2 I have problems with the missing
csrf_tokenin the client js scripts. It's used for ajax submits when uploading a files:'x-csrf-token': config.csrf_token. Token is set inapiController.loadConfig.The problem is related to the merge made by @barisusakli https://github.com/NodeBB/NodeBB/pull/8367/commits
For some reason added
middleware.applyCSRFis not worked as it should be and csrf token is not applied to the config (missing in thereq).After revert the code to the state before this changes - it's working.
I don't know if this is a bug or just a situation related to my forum/nginx (test env)/apache (prod env) configuration.
Can I ask about help to solve this issue? Let me know if I can provide any additional logs/details related to the case. Thanks!
-
Please open an issue on GitHub for bugs like this
-
@baris Probably I got the problem (or rather problems).
-
Homepage for my forum is set to custom page based on plugin:
https://github.com/NodeBB-Community/nodebb-plugin-custom-pages
Sadly it looks that it's missing applying csrf token, so in the situation when custom page is loaded first - each next loaded dynamically (without page refresh) will be without csrf token (until user refresh forum on other page, like topic or categories). -
It could be easier to catch, but in my case there was also that my file upload was in the custom plugin with own route. And I was creating it like:
router.get('/groups/:slug/lesson/:lessonId/:name', middleware.buildHeader, lessonController.render); router.get('/api/groups/:slug/lesson/:lessonId/:name', lessonController.render);instead of using helper:
const routesHelpers = require.main.require('./src/routes/helpers'); routesHelpers.setupPageRoute(app, '/groups/:slug/lesson/:lessonId/:name', middleware, [], lessonController.render);It would be great if you can confirm that
nodebb-plugin-custom-pagesreally could make the trouble, thanks! -
