Problem with invalid csrf token on registration/login

Technical Support
  • I am running a nodebb 1.15.0 system on Ubuntu 20 on nginx. It's a newer install and we've had an occasional issue on both registration and login where folks will get a message denying their login or registration.

    2020-11-12T06:11:19.312Z [4567/17870] - error: /register
    invalid csrf token


    2020-11-12T06:11:13.910Z [4567/17870] - error: /login
    invalid csrf token

    Frequently a refresh on the browser will let a user login or sometimes just waiting a few minutes.

    Here's my config.json

    "url": "",
    "secret": "secret",
    "database": "mongo",
    "port": "4567",
    "mongo": {
    "host": "",
    "port": "27017",
    "username": "nodebb",
    "password": "secret",
    "database": "nodebb",
    "uri": ""


    Nginx config

    server {

    client_max_body_size 100M;
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_redirect off;
        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    server {
    if ($host = {
    return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    return 404; # managed by Certbot


    Any help would be very much appreciated!

Suggested Topics

  • API logins counted?

    Unsolved Technical Support
    0 Votes
    2 Posts

    Since the api calls the standard login controller it behaves the same as someone going to /login and logging in.

  • Emoji problem

    Technical Support
    0 Votes
    25 Posts

    @pitaj said in Emoji problem:

    Okay try running this in a mongo shell like before:

    db.objects.update({ _key:'emoji:customizations:adjuncts' }, { $set: { _key: 'emoji:customizations:adjuncts:bkp' } }, { multi: true })

    I did as you told me and the problem worked out 😊

    I thank you very much 👍👍👍

  • Registration Error

    Technical Support
    0 Votes
    6 Posts

    Nevermind, the spam-be-gone plugin was causing it. Heres what i found in the console.

    at new ClientRequest (_http_client.js:52:11) at Object.exports.request (http.js:31:10) at Object.exports.request (https.js:199:15) at module.exports (/opt/nodebb/node_modules/simple-recaptcha-new/index.js:37:23) at Object.Plugin._recaptchaCheck (/opt/nodebb/node_modules/nodebb-plugin-spam-be-gone/library.js:282:3) at /opt/nodebb/node_modules/nodebb-plugin-spam-be-gone/library.js:211:11 at /opt/nodebb/node_modules/async/lib/async.js:718:13 at async.forEachOf.async.eachOf (/opt/nodebb/node_modules/async/lib/async.js:233:13) at _parallel (/opt/nodebb/node_modules/async/lib/async.js:717:9) at Object.async.parallel (/opt/nodebb/node_modules/async/lib/async.js:731:9) at Object.Plugin.checkRegister [as method] (/opt/nodebb/node_modules/nodebb-plugin-spam-be-gone/library.js:206:8) at /opt/nodebb/src/plugins/hooks.js:120:12 at /opt/nodebb/node_modules/async/lib/async.js:375:13 at iterate (/opt/nodebb/node_modules/async/lib/async.js:262:13) at Object.async.forEachOfSeries.async.eachOfSeries (/opt/nodebb/node_modules/async/lib/async.js:281:9) at Object.async.inject.async.foldl.async.reduce (/opt/nodebb/node_modules/async/lib/async.js:374:15) at fireFilterHook (/opt/nodebb/src/plugins/hooks.js:112:9) at Object.Plugins.fireHook (/opt/nodebb/src/plugins/hooks.js:93:4) at /opt/nodebb/src/controllers/authentication.js:76:12 at fn (/opt/nodebb/node_modules/async/lib/async.js:746:34) at /opt/nodebb/node_modules/async/lib/async.js:1213:16 at /opt/nodebb/node_modules/async/lib/async.js:166:37

    Seems like the recaptcha wasnt coded correctly. Or i didnt set it up correctly

  • 0 Votes
    5 Posts

    Thanx! 🙂

  • 0 Votes
    17 Posts

    @a_5mith Thanks!