Problem with invalid csrf token on registration/login


  • I am running a nodebb 1.15.0 system on Ubuntu 20 on nginx. It's a newer install and we've had an occasional issue on both registration and login where folks will get a message denying their login or registration.

    2020-11-12T06:11:19.312Z [4567/17870] - error: /register
    invalid csrf token

    or

    2020-11-12T06:11:13.910Z [4567/17870] - error: /login
    invalid csrf token

    Frequently a refresh on the browser will let a user login or sometimes just waiting a few minutes.

    Here's my config.json

    {
    "url": "https://opposite-lock.com",
    "secret": "secret",
    "database": "mongo",
    "port": "4567",
    "mongo": {
    "host": "127.0.0.1",
    "port": "27017",
    "username": "nodebb",
    "password": "secret",
    "database": "nodebb",
    "uri": ""
    }

    }

    Nginx config

    server {

    server_name opposite-lock.com;
    
    client_max_body_size 100M;
    
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
    
        proxy_pass http://127.0.0.1:4567;
        proxy_redirect off;
    
        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/opposite-lock.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/opposite-lock.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    

    }
    server {
    if ($host = opposite-lock.com) {
    return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    
    server_name opposite-lock.com;
    return 404; # managed by Certbot
    

    }

    Any help would be very much appreciated!

Suggested Topics

| |