• Home
  • Categories
  • Recent
  • Popular
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
v3.5.2 Latest
Buy Hosting

Invalid CSRF token when authenticating via third-party app

Scheduled Pinned Locked Moved Unsolved Technical Support
6 Posts 3 Posters 379 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • hnippsH Offline
    hnippsH Offline
    hnipps
    wrote on last edited by
    #1

    I'm trying to use NodeBB as a headless forum (i.e. just a REST API with a separate front end) but keep getting an "invalid csrf token" error when I try to authenticate.

    I've confirmed I can authenticate via the NodeBB UI on the same instance.

    I've also tried getting the NodeBB config and using the csrf token from there in my requests but it still does not work.

    My frontend is a NextJS app that rewrites all /api/:path* requests to http://<MY-NODE-BB-INSTANCE>/api/:path*. It also rewrites the auth paths.

    I can see the requests reach NodeBB but always get "invalid csrf token".

    I've verified that I can successfully call GET endpoints from my app, e.g. I can get the user list from /api/users.

    1 Reply Last reply
    1
  • PitaJP Offline
    PitaJP Offline
    PitaJ Global Moderator Plugin & Theme Dev
    wrote on last edited by PitaJ
    #2

    So you're saying you tried setting the x-csrf-token header like this and that didn't help?

    When you say your "NextJS app ... rewrites", that's a client-side operation? Everything you're talking about happens in the browser, right?

    Have you tried just doing the same requests with fetch instead?

    hnippsH 1 Reply Last reply
    1
  • hnippsH Offline
    hnippsH Offline
    hnipps
    replied to PitaJ on last edited by
    #3

    Thanks for your response @PitaJ !

    Yes I'm setting the csrf token like that

    The NextJS rewrite is server-side. The NextJS server rewrites some paths (e.g. myapp.com/api/users) to point to by NodeBB instance (e.g. mynodebb.com/api/users), essentially it's a proxy so I don't have to mess with CORS.

    I'm already using fetch 😞

    Having said all this I figured out the issue. I needed to set the canonical url in NodeBB config to be my frontend URL, not the URL at which NodeBB is served.

    So I fixed the csrf token issue and now I have another issue 🫠 ...

    I can login but the endpoint always returns a 404 error.

    My plugin adds a new auth endpoint (/auth/lit-protocol) which adds a new passport login strategy but I always get a 404 even though I get logged in to NodeBB.

    PitaJP julianJ 2 Replies Last reply
    1
  • PitaJP Offline
    PitaJP Offline
    PitaJ Global Moderator Plugin & Theme Dev
    replied to hnipps on last edited by PitaJ
    #4

    @hnipps what's returning the 404, NextJS or NodeBB? What is the exact error you're getting?

    Is your site under a subfolder, like example.org/forum? You'll need to send requests under that same path. So instead of /api/whatever, it would need to be /forum/api/whatever

    1 Reply Last reply
    1
  • julianJ Offline
    julianJ Offline
    julian GNU/Linux
    replied to hnipps on last edited by julian
    #5

    @hnipps said in Invalid CSRF token when authenticating via third-party app:

    My plugin adds a new auth endpoint (/auth/lit-protocol) which adds a new passport login strategy but I always get a 404 even though I get logged in to NodeBB.

    What are you calling to log in the user, req.login? Might be easier to call .doLogin(req, uid); (which is exported by src/controllers/authentication.js)

    1 Reply Last reply
    0
  • hnippsH Offline
    hnippsH Offline
    hnipps
    wrote on last edited by
    #6

    @PitaJ @julian
    Apologies for not replying and thank you for the suggestions!

    I figured out the issue with csrf. I had to set the config url to be that of my client app instead of the nodebb instance.

    Using this I'm able to request the csrf token from the config endpoint and use that in subsequent requests.

    1 Reply Last reply
    2

Copyright © 2023 NodeBB | Contributors
  • Login

  • Don't have an account? Register

  • Login or register to search.
Powered by NodeBB Contributors
  • First post
    Last post
0
  • Home
  • Categories
  • Recent
  • Popular
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development