Skip to content

CSRF Issue

NodeBB Plugins
  • I'm working on my first plugin and have based it strongly on the imgur plugin to use Rackspace Cloudfiles for storage.

    The code seems to work fine if I use it for a category image but I get an invalid CSRF response if I do it in a topic.

    Ring any bells?

  • I hate to, but.

    Bump?

  • Were you trying to upload an image to a topic when this happened? Odd...

  • Initially, yes. It would work for category images, however.

    A couple of bits of code tests and a git pull later, I was getting it in the control panel for category images as well.

  • Hm... the plugins shouldn't really touch anything on the front-end where CSRF tokens are handled. Can you try with the latest code in master?

  • @julian said:

    Can you try with the latest code in master?

    gh#2359, might run into this issue though. 😛

  • Well, I'm back to having different results between the Categories image upload and the Topic Post Upload.

    Categories is giving me an invalid image path - which I expect is an issue with my code rather than elsewhere, but I still have this - from a dev run:

    2014-11-07T17:15:25.533Z - info: [plugins] Problem executing hook: filter:uploadImage err: {}
    2014-11-07T17:16:36.416Z - error: /api/post/upload
    Error: invalid csrf token
    at module.exports (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/node_modules/http-errors/index.js:32:16)
    at verifytoken (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/index.js:237:11)
    at csrf (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/index.js💯7)
    at Layer.handle [as handle_request] (/mnt/Extra/home/me/Projects/NodeBB/node_modules/express/lib/router/layer.js:82:5)
    at next (/mnt/Extra/home/me/Projects/NodeBB/node_modules/express/lib/router/route.js💯13)
    at Form.<anonymous> (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/index.js:101:9)
    at Form.emit (events.js:117:20)
    at maybeClose (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:557:10)
    at endFlush (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:552:3)
    at WriteStream.<anonymous> (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:617:5)

  • @Shard said:

    Well, I'm back to having different results between the Categories image upload and the Topic Post Upload.

    Categories is giving me an invalid image path - which I expect is an issue with my code rather than elsewhere, but I still have this - from a dev run:

    2014-11-07T17:15:25.533Z - info: [plugins] Problem executing hook: filter:uploadImage err: {}
    2014-11-07T17:16:36.416Z - error: /api/post/upload
    Error: invalid csrf token
    at module.exports (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/node_modules/http-errors/index.js:32:16)
    at verifytoken (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/index.js:237:11)
    at csrf (/mnt/Extra/home/me/Projects/NodeBB/node_modules/csurf/index.js💯7)
    at Layer.handle [as handle_request] (/mnt/Extra/home/me/Projects/NodeBB/node_modules/express/lib/router/layer.js:82:5)
    at next (/mnt/Extra/home/me/Projects/NodeBB/node_modules/express/lib/router/route.js💯13)
    at Form.<anonymous> (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/index.js:101:9)
    at Form.emit (events.js:117:20)
    at maybeClose (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:557:10)
    at endFlush (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:552:3)
    at WriteStream.<anonymous> (/mnt/Extra/home/me/Projects/NodeBB/node_modules/connect-multiparty/node_modules/multiparty/index.js:617:5)

    Perhaps this might be related?

  • My other issue seems to be from a code chunk inherited from the imgur plugin.

    It seems the imgur plugin has it as well. I wonder if this is something simple with my setup - where does node put the temporary uploaded file?

  • @Xiph Thank you!

    That gave me 99% of what I needed on the admin control - it's uploading again but not catching the success yet. That's on me. The imgur plugin that is rferenced doesn't seem to have been updated - or I was managing to just look at a specific version in github.

    The user side has not changed.

  • Still no love on the CSRF. Did get this new error on the admin:

    2014-11-10T02:50:23.238Z - error: /admin/category/uploadpicture
    Error: Failed to lookup view "admin/footer" in views directory "/mnt/Extra/home/dbolack/Projects/NodeBB/public/templates"
    at EventEmitter.app.render (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/express/lib/application.js:519:17)
    at /mnt/Extra/home/dbolack/Projects/NodeBB/src/middleware/admin.js:103:8
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:570:21
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:249:17
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:125:13
    at Array.forEach (native)
    at _each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:46:24)
    at async.each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:124:9)
    at _asyncMap (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:248:13)
    at Object.map (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:219:23)

    Which baffles because the file was there and not weirdly perm'd.

    So I did a pull - perhaps unwise. All plugins now are having issue with: app.get('/admin/plugins/rscloudfiles', middleware.applyCSRF, middleware.admin.buildHeader, renderAdmin);

    TypeError: Cannot read property 'buildHeader' of undefined
    at Object.rscloudfiles.init [as method] (/mnt/Extra/home/dbolack/Projects/nodebb-plugin-rscloudfiles/index.js:61:80)
    at /mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:456:13
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:125:13
    at Array.forEach (native)
    at _each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:46:24)
    at Object.async.each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:124:9)
    at fireStaticHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:454:9)
    at Object.Plugins.fireHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:410:5)
    at Plugins.reloadRoutes (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:132:11)
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:656:23

  • Hmm.

    So is that a sit and wait for documentation, or is the middleware in the nodebb-essentials checkout?

  • @Shard It was in relation to the buildHeader error you received. It has now been fixed. Should be able to pull and upgrade again. 👍

  • @a_5mith Well, I hate to report, but that is not the case.

    2014-11-10T17:25:51.352Z - error: TypeError: Cannot read property 'buildHeader' of undefined
    at Object.rscloudfiles.init [as method] (/mnt/Extra/home/dbolack/Projects/nodebb-plugin-rscloudfiles/index.js:61:80)
    at /mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:456:13
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:125:13
    at Array.forEach (native)
    at _each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:46:24)
    at Object.async.each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:124:9)
    at fireStaticHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:454:9)
    at Object.Plugins.fireHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:410:5)
    at Plugins.reloadRoutes (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:132:11)
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:656:23
    TypeError: Cannot read property 'buildHeader' of undefined
    at Object.rscloudfiles.init [as method] (/mnt/Extra/home/dbolack/Projects/nodebb-plugin-rscloudfiles/index.js:61:80)
    at /mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:456:13
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:125:13
    at Array.forEach (native)
    at _each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:46:24)
    at Object.async.each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:124:9)
    at fireStaticHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:454:9)
    at Object.Plugins.fireHook (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:410:5)
    at Plugins.reloadRoutes (/mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:132:11)
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:656:23

    This might help:

    [dbolack@hidden NodeBB]$ git rev-parse HEAD
    91103fb09e6e29e34651baddbd5a80d2f8c9f670

  • You will need to update nodebb-plugin-rscloudfiles. There are changes to 0.6.0 that require some minor tweaks.

    I couldn't find your plugin on github, but if you look here, these are what you need to change to get your app working in 0.6.0+

    You should also add the 0.6.0 compatability bits into your package.json file.

  • @a_5mith

    Aha. I was using the imgur plugin as a reference - which hadn't been updated on my last check ( admittedly, last night ) which explains this particular omission.

    Thank you. Maybe this will fix the CRSF issue as well.

  • @a_5mith

    That was indeed the issue there. Now I'm back to my previous levels of broken.

    https://github.com/dbolackrs/nodebb-plugin-rscloudfiles is the plugin.

    I still get this oddity. 2014-11-10T17:53:09.403Z - error: /admin/category/uploadpicture
    Error: Failed to lookup view "admin/header" in views directory "/mnt/Extra/home/dbolack/Projects/NodeBB/public/templates"
    at EventEmitter.app.render (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/express/lib/application.js:519:17)
    at /mnt/Extra/home/dbolack/Projects/NodeBB/src/middleware/admin.js:86:10
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:592:17
    at done (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:135:19)
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:32:16
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:589:21
    at /mnt/Extra/home/dbolack/Projects/NodeBB/src/plugins.js:434:4
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:277:13
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:157:25
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:274:17

    Followed by

    2014-11-10T17:53:09.513Z - error: /500
    Error: Failed to lookup view "footer" in views directory "/mnt/Extra/home/dbolack/Projects/NodeBB/public/templates"
    at EventEmitter.app.render (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/express/lib/application.js:519:17)
    at Object.async.parallel.footer (/mnt/Extra/home/dbolack/Projects/NodeBB/src/middleware/middleware.js:205:8)
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:583:25
    at /mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:125:13
    at Array.forEach (native)
    at _each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:46:24)
    at Object.async.each (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:124:9)
    at _parallel (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:582:20)
    at Object.async.parallel (/mnt/Extra/home/dbolack/Projects/NodeBB/node_modules/async/lib/async.js:598:9)
    at middleware.buildHeader (/mnt/Extra/home/dbolack/Projects/NodeBB/src/middleware/middleware.js:200:8)


Suggested Topics


  • IMGUR upload issues

    NodeBB Plugins
    5
    +0
    0 Votes
    5 Posts
    723 Views
    phenomlabP
    @DownPW said in IMGUR upload issues: IMGUR sucks News Flash - it always did
  • nodebb-plugin-imgur invalid CSRF

    NodeBB Plugins
    23
    0 Votes
    23 Posts
    2k Views
    <baris>B
    imgur is temporarily over capacity. Please try again later is an issue on imgurs end. The plugin just sends the image and if it errors shows it in the composer.
  • 0 Votes
    2 Posts
    2k Views
    P
    Post the blog comments config from ACP please?
  • Issues with Nodebb-Widgets-Essentials

    NodeBB Plugins
    2
    0 Votes
    2 Posts
    2k Views
    P
    Hey @src1988, is this the same issue that you're having here? https://github.com/NodeBB/NodeBB/issues/1878 If yes, then I think it's because you're running an incompatible version of widget-essentials with NodeBB. Let us know on that GitHub thread if you're still running into this problem
  • restart issue?

    NodeBB Plugins
    1
    0 Votes
    1 Posts
    825 Views
    gaasgG
    I just had a new installation, added some plugins and I'm trying to restart the nodebb, as it's required as it says atleast. The plugins pages don't work (not found) The restart nodebb don't seems to work any tips for this ? I'm using v0.4.3.

Looks like your connection to NodeBB Community was lost, please wait while we try to reconnect.