Invalid CSRF token



  • Hello,
    I m new to NodeBB, I just saw NodeBB and was instantly in love with it, I wanted to use it as a Backened forum. So I downloaded and started developing.

    I duplicated a theme and renamed it , to start developing on it.
    then I added this code in the library.js

    function renderThemepage(req, res, next) {
    	res.render('add_comic', {});
    };
    
    Theme.init = function(params, callback) {
    	var app = params.router,
    	middleware = params.middleware,
    	controllers = params.controllers;
    	 
    	app.get('/comic/add', middleware.applyCSRF, middleware.buildHeader, renderThemepage);
    
    	app.post('/comic/add', middleware.applyCSRF, middleware.buildHeader, function(req, res, next) {
    		res.send(req);
    	});
    	callback();
    };
    

    add_comic.tpl has a basic form, that sends the post request to /comic/add but I get invalid csrf token in the logs whenever I submit the form.



  • :)that sends the post request to /comic/add but I get invalid csrf token in the logs whenever I submit the form.


  • Admin

    You'll want to send in the csrf token as a header value. You can investigate time proper way to do so using jQuery.

    The header name is x-csrf-token



  • I checked using HTTP header plugin but no x-csrf-token is being passed, can you give an example or do you know any link where it is shown, I have duplicated vanilla theme as the base.



  • Ok , I solved it, after checking that there is no csrf header i tried manually add it, but it didn't succeed I went add the token in template as (for those who might get stuck on same problem as me)

    	<input type="hidden" value="{token}" name="_csrf" />
    

    and passing the value like this

    function renderThemepage(req, res, next) {
    	var csrf = require('csurf');
    	res.render('add_comic', {token: req.csrfToken()});
    };

  • Admin

    @riteshsanap Good to know that still works.

    Either pass in _csrf as a form value, or if submitting via ajax, can send x-csrf-token header



  • I'm also getting an invalid csrf error while trying to log in if anyone can help me out...

    I'm runnning 0.5.7 and reset theme and plugins, but not luck. I looked at mongodb and the sessions collection grows by about 6-9 documents each page request...weird. This is a development instance, so I'm the only one...

    Also, I was logged in on Chrome and noticed I couldn't log in on Firefox...just Chrome for some reason. So, I cleared my cache in Chrome and it started giving me errors



  • I figured out my issue...

    MongoDB user I was using had a readWrite role, but I guess it needs the dbAdmin role as well. When I tried creating a new user in the nodebb admin area, then it would make things go wonky without the dbAdmin role and result in invalid csrf tokens.


 

| |