Buy Hosting

Invalid CSRF token

NodeBB Development
  • R

    Hello,
    I m new to NodeBB, I just saw NodeBB and was instantly in love with it, I wanted to use it as a Backened forum. So I downloaded and started developing.

    I duplicated a theme and renamed it , to start developing on it.
    then I added this code in the library.js

    function renderThemepage(req, res, next) {
	res.render('add_comic', {});
};

Theme.init = function(params, callback) {
	var app = params.router,
	middleware = params.middleware,
	controllers = params.controllers;
	 
	app.get('/comic/add', middleware.applyCSRF, middleware.buildHeader, renderThemepage);

	app.post('/comic/add', middleware.applyCSRF, middleware.buildHeader, function(req, res, next) {
		res.send(req);
	});
	callback();
};

    add_comic.tpl has a basic form, that sends the post request to /comic/add but I get invalid csrf token in the logs whenever I submit the form.

    0
  • Q

    :)that sends the post request to /comic/add but I get invalid csrf token in the logs whenever I submit the form.

    0
  • julianJ

    You'll want to send in the csrf token as a header value. You can investigate time proper way to do so using jQuery.

    The header name is x-csrf-token

    1
  • R

    I checked using HTTP header plugin but no x-csrf-token is being passed, can you give an example or do you know any link where it is shown, I have duplicated vanilla theme as the base.

    0
  • R

    Ok , I solved it, after checking that there is no csrf header i tried manually add it, but it didn't succeed I went add the token in template as (for those who might get stuck on same problem as me)

    	<input type="hidden" value="{token}" name="_csrf" />

    and passing the value like this

    function renderThemepage(req, res, next) {
	var csrf = require('csurf');
	res.render('add_comic', {token: req.csrfToken()});
};
    0
  • julianJ

    @riteshsanap Good to know that still works.

    Either pass in _csrf as a form value, or if submitting via ajax, can send x-csrf-token header

    0
  • mootzvilleM

    I'm also getting an invalid csrf error while trying to log in if anyone can help me out...

    I'm runnning 0.5.7 and reset theme and plugins, but not luck. I looked at mongodb and the sessions collection grows by about 6-9 documents each page request...weird. This is a development instance, so I'm the only one...

    Also, I was logged in on Chrome and noticed I couldn't log in on Firefox...just Chrome for some reason. So, I cleared my cache in Chrome and it started giving me errors

    0
  • mootzvilleM

    I figured out my issue...

    MongoDB user I was using had a readWrite role, but I guess it needs the dbAdmin role as well. When I tried creating a new user in the nodebb admin area, then it would make things go wonky without the dbAdmin role and result in invalid csrf tokens.

    0

Suggested Topics

  • P

    NodeBB in inframe throws invalid csrf token

    NodeBB Development
    5
    0 Votes
    5 Posts
    354 Views
    P

    @pitaj No, outside iframe everything is working.

    Tested with and without *, also tried to write direct values / domains into fields. Each time the same result.

    Also it looks that csrf token is sending in login request.

    I suspect that problematic could be cookies, but can't find direct reason. That's why I'm asking for help.

  • U

    Logging in programmatically; Using access token from read API with write API plugin?

    NodeBB Development
    8
    0 Votes
    8 Posts
    4k Views
    U

    Reporting back. Using existing libraries, this is much simpler than I was making it. Here's some sample Python code which posts "Hello, World!" to topic ID 2. Thanks, @julian, for telling me about socket.io.

    from socketIO_client import SocketIO, LoggingNamespace import requests import json session = requests.Session() csrf_token = json.loads(session.get('http://yourdomain:port/api/config').text)['csrf_token'] headers = { 'x-csrf-token': csrf_token } data = { "username": "yourUsername", "password": "yourPassword" } response = session.post("http://yourdomain:port/login", headers=headers, data=data) def on_response(*args): print('on_response', json.dumps(args)) with SocketIO('yourdomain', port, LoggingNamespace, cookies=session.cookies.get_dict()) as s: s.emit('posts.reply', {'tid': 2, 'content': "Hello, World!"}, on_response) s.wait_for_callbacks(seconds=1)
  • TzA-0x000000001T

    Openshift - How can I fix csrf-invalid ?

    General Discussion
    1
    0 Votes
    1 Posts
    1k Views
    TzA-0x000000001T

    Hello.

    I know this was asked so much times on the forum, but I've actually a problem since I use the NodeJS build from Openshift. I saw everywhere that I had to change the nginx configuration file, but I don't how to achieve that with my current configuration.
    I tried to install nginx, but it failed to resolve the issue.

    So, I was thinking that someone found a fix or a way to edit nginx configuration with Openshift.

    Thank you for your attention,
    Best regards.

  • Moritz FriedrichM

    CSRF error when logging in after URL change

    Technical Support
    6
    0 Votes
    6 Posts
    3k Views
    julianJ

    @Moritz-Friedrich said:

    Weird enough, I just realized that at the old subdomain (as a CNAME) logging in is still possible...

    Default this is not set to anything, so this doesn't need to be set... afaik

  • julianJ

    Gotchas for 0.6.0

    NodeBB Development
    1
    0 Votes
    1 Posts
    1k Views
    julianJ

    I know I made a promise to have the 0.5.x branch last more than 2 releases, but we added more breaking changes again, and 0.5.0 hasn't even been released yet 😆

    In any case, for those plugin developers who are interested:

    Notification pushed action hook (action:notification.pushed) incoming data has changed: From: An object containing the notification data To: This object -- {notification: notification, uids: uids});

    As always, this list will be updated as new breaking changes are added. In the case of this list -- don't commit and publish your change to npm yet, as 0.6.0 has not launched. We recommend you maintain these changes in a separate branch until then.

Copyright © 2023 NodeBB | Contributors