Community

Invalid CSRF token

NodeBB Development
  • R
    R
    #1

    Hello,
    I m new to NodeBB, I just saw NodeBB and was instantly in love with it, I wanted to use it as a Backened forum. So I downloaded and started developing.

    I duplicated a theme and renamed it , to start developing on it.
    then I added this code in the library.js

    function renderThemepage(req, res, next) {
	res.render('add_comic', {});
};

Theme.init = function(params, callback) {
	var app = params.router,
	middleware = params.middleware,
	controllers = params.controllers;
	 
	app.get('/comic/add', middleware.applyCSRF, middleware.buildHeader, renderThemepage);

	app.post('/comic/add', middleware.applyCSRF, middleware.buildHeader, function(req, res, next) {
		res.send(req);
	});
	callback();
};

    add_comic.tpl has a basic form, that sends the post request to /comic/add but I get invalid csrf token in the logs whenever I submit the form.

    0
  • Q
    Q
    #2

    :)that sends the post request to /comic/add but I get invalid csrf token in the logs whenever I submit the form.

    0
  • julianJ
    julianJ
    GNU/Linux
    #3

    You'll want to send in the csrf token as a header value. You can investigate time proper way to do so using jQuery.

    The header name is x-csrf-token

    1
  • R
    R
    #4

    I checked using HTTP header plugin but no x-csrf-token is being passed, can you give an example or do you know any link where it is shown, I have duplicated vanilla theme as the base.

    0
  • R
    R
    #5

    Ok , I solved it, after checking that there is no csrf header i tried manually add it, but it didn't succeed I went add the token in template as (for those who might get stuck on same problem as me)

    	<input type="hidden" value="{token}" name="_csrf" />

    and passing the value like this

    function renderThemepage(req, res, next) {
	var csrf = require('csurf');
	res.render('add_comic', {token: req.csrfToken()});
};
    0
  • julianJ
    julianJ
    GNU/Linux
    #6

    @riteshsanap Good to know that still works.

    Either pass in _csrf as a form value, or if submitting via ajax, can send x-csrf-token header

    0
  • mootzvilleM
    mootzvilleM
    #7

    I'm also getting an invalid csrf error while trying to log in if anyone can help me out...

    I'm runnning 0.5.7 and reset theme and plugins, but not luck. I looked at mongodb and the sessions collection grows by about 6-9 documents each page request...weird. This is a development instance, so I'm the only one...

    Also, I was logged in on Chrome and noticed I couldn't log in on Firefox...just Chrome for some reason. So, I cleared my cache in Chrome and it started giving me errors

    0
  • mootzvilleM
    mootzvilleM
    #8

    I figured out my issue...

    MongoDB user I was using had a readWrite role, but I guess it needs the dbAdmin role as well. When I tried creating a new user in the nodebb admin area, then it would make things go wonky without the dbAdmin role and result in invalid csrf tokens.

    0

Suggested Topics

  • DoppyD

    "Invalid date" replaced the correct date value in my showsingle.tpl

    NodeBB Development
    0 Votes
    2 Posts
    890 Views

    barisB

    Does it work with just this

    <small class="timeago" title="{element.timestampInISOFormat}"></small>

  • A

    Unable to purge posts -- Invalid Date

    NodeBB Development
    0 Votes
    1 Posts
    831 Views

    A

    Hey guys,

    I have encountered some weird issues.

    NodeBB Version: 1.4.5 (then upgraded to 1.4.6)
    Theme: Persona
    Issue: Can't purge posts.

    Delete:
    0_1492919749524_A8CFF4476BB017F083175E3F1B7FFD2E.png

    Purge:
    0_1492919764039_EE6A23ED79A6E323BCE16688B01C43AD.jpg

    Restore:
    0_1492919724549_8A73009D272CDC6B4915AC1CEEFFD6F8.png

    No errors or warnings in ./nodebb log

    What I have tried but failed:

    reboot NodeBB disable all plugins restart mondodb reboot VPS git pull && ./nodebb upgrade (from 1.4.5 to 1.4.6) git fetch && git reset --hard origin/v1.x.x

    What I have tried but just a workaround:
    I found this reply

    Use Vanilla theme. Now I can delete and purge themes. 😄 Uninstall and then reinstall Persona theme. Use Persona theme. The issue remains. 😢

    Another issue with Persona theme:
    0_1492921694537_Snip20170423_9.png

    Another bug found when writing this post:
    0_1492921949468_Snip20170423_10.png
    0_1492922040771_Snip20170423_11.png

  • amarinelliA

    Failed login attempt, forbidden, invalid csrf token

    Solved Technical Support
    1 Votes
    4 Posts
    2899 Views

    julianJ

    Thanks for the update @amarinelli

  • B

    CSRF

    NodeBB Development
    1 Votes
    6 Posts
    3118 Views

    julianJ

    Re: gh#2424

  • julianJ

    Plugin Developers!! Read this re: v0.6.0 Breaking changes

    NodeBB Development
    2 Votes
    17 Posts
    6518 Views

    julianJ

    I correctly assumed (and this has been validated through actual plugin upgrades) that the latest hash in npm points to the most recently published version, and not the highest version.

    That is, given your plugin nodebb-plugin-example

    If v1.0.0 is compatible with v0.5.4 If v1.1.0 is compatible only with v0.6.0 The latter is published first A user typing npm install nodebb-plugin-example will receive v1.0.0 of the plugin, irrespective of what NodeBB version he/she is running, even though v1.1.0 is technically newer

    Now, special note: The NodeBB Package Manager doesn't do this. When the ACP calls nbbpm to request a suggested package, we query npm for the plugin data, and sort the versions before checking compatibility, so this issue is moot.

| | | |
Copyright © 2023 NodeBB | Contributors