Invalid CSRF token



  • Hello,
    I m new to NodeBB, I just saw NodeBB and was instantly in love with it, I wanted to use it as a Backened forum. So I downloaded and started developing.

    I duplicated a theme and renamed it , to start developing on it.
    then I added this code in the library.js

    function renderThemepage(req, res, next) {
    	res.render('add_comic', {});
    };
    
    Theme.init = function(params, callback) {
    	var app = params.router,
    	middleware = params.middleware,
    	controllers = params.controllers;
    	 
    	app.get('/comic/add', middleware.applyCSRF, middleware.buildHeader, renderThemepage);
    
    	app.post('/comic/add', middleware.applyCSRF, middleware.buildHeader, function(req, res, next) {
    		res.send(req);
    	});
    	callback();
    };
    

    add_comic.tpl has a basic form, that sends the post request to /comic/add but I get invalid csrf token in the logs whenever I submit the form.



  • :)that sends the post request to /comic/add but I get invalid csrf token in the logs whenever I submit the form.


  • Admin

    You'll want to send in the csrf token as a header value. You can investigate time proper way to do so using jQuery.

    The header name is x-csrf-token



  • I checked using HTTP header plugin but no x-csrf-token is being passed, can you give an example or do you know any link where it is shown, I have duplicated vanilla theme as the base.



  • Ok , I solved it, after checking that there is no csrf header i tried manually add it, but it didn't succeed I went add the token in template as (for those who might get stuck on same problem as me)

    	<input type="hidden" value="{token}" name="_csrf" />
    

    and passing the value like this

    function renderThemepage(req, res, next) {
    	var csrf = require('csurf');
    	res.render('add_comic', {token: req.csrfToken()});
    };

  • Admin

    @riteshsanap Good to know that still works.

    Either pass in _csrf as a form value, or if submitting via ajax, can send x-csrf-token header



  • I'm also getting an invalid csrf error while trying to log in if anyone can help me out...

    I'm runnning 0.5.7 and reset theme and plugins, but not luck. I looked at mongodb and the sessions collection grows by about 6-9 documents each page request...weird. This is a development instance, so I'm the only one...

    Also, I was logged in on Chrome and noticed I couldn't log in on Firefox...just Chrome for some reason. So, I cleared my cache in Chrome and it started giving me errors



  • I figured out my issue...

    MongoDB user I was using had a readWrite role, but I guess it needs the dbAdmin role as well. When I tried creating a new user in the nodebb admin area, then it would make things go wonky without the dbAdmin role and result in invalid csrf tokens.


Log in to reply
 


Looks like your connection to NodeBB was lost, please wait while we try to reconnect.