Invalid CSRF token

NodeBB Development
  • Hello,
    I m new to NodeBB, I just saw NodeBB and was instantly in love with it, I wanted to use it as a Backened forum. So I downloaded and started developing.

    I duplicated a theme and renamed it , to start developing on it.
    then I added this code in the library.js

    function renderThemepage(req, res, next) {
    	res.render('add_comic', {});
    Theme.init = function(params, callback) {
    	var app = params.router,
    	middleware = params.middleware,
    	controllers = params.controllers;
    	app.get('/comic/add', middleware.applyCSRF, middleware.buildHeader, renderThemepage);
'/comic/add', middleware.applyCSRF, middleware.buildHeader, function(req, res, next) {

    add_comic.tpl has a basic form, that sends the post request to /comic/add but I get invalid csrf token in the logs whenever I submit the form.

  • :)that sends the post request to /comic/add but I get invalid csrf token in the logs whenever I submit the form.

  • You'll want to send in the csrf token as a header value. You can investigate time proper way to do so using jQuery.

    The header name is x-csrf-token

  • I checked using HTTP header plugin but no x-csrf-token is being passed, can you give an example or do you know any link where it is shown, I have duplicated vanilla theme as the base.

  • Ok , I solved it, after checking that there is no csrf header i tried manually add it, but it didn't succeed I went add the token in template as (for those who might get stuck on same problem as me)

    	<input type="hidden" value="{token}" name="_csrf" />

    and passing the value like this

    function renderThemepage(req, res, next) {
    	var csrf = require('csurf');
    	res.render('add_comic', {token: req.csrfToken()});
  • @riteshsanap Good to know that still works.

    Either pass in _csrf as a form value, or if submitting via ajax, can send x-csrf-token header

  • I'm also getting an invalid csrf error while trying to log in if anyone can help me out...

    I'm runnning 0.5.7 and reset theme and plugins, but not luck. I looked at mongodb and the sessions collection grows by about 6-9 documents each page request...weird. This is a development instance, so I'm the only one...

    Also, I was logged in on Chrome and noticed I couldn't log in on Firefox...just Chrome for some reason. So, I cleared my cache in Chrome and it started giving me errors

  • I figured out my issue...

    MongoDB user I was using had a readWrite role, but I guess it needs the dbAdmin role as well. When I tried creating a new user in the nodebb admin area, then it would make things go wonky without the dbAdmin role and result in invalid csrf tokens.

Suggested Topics

  • 0 Votes
    5 Posts

    @pitaj No, outside iframe everything is working.

    Tested with and without *, also tried to write direct values / domains into fields. Each time the same result.

    Also it looks that csrf token is sending in login request.

    I suspect that problematic could be cookies, but can't find direct reason. That's why I'm asking for help.

  • 0 Votes
    8 Posts

    Reporting back. Using existing libraries, this is much simpler than I was making it. Here's some sample Python code which posts "Hello, World!" to topic ID 2. Thanks, @julian, for telling me about

    from socketIO_client import SocketIO, LoggingNamespace import requests import json session = requests.Session() csrf_token = json.loads(session.get('http://yourdomain:port/api/config').text)['csrf_token'] headers = { 'x-csrf-token': csrf_token } data = { "username": "yourUsername", "password": "yourPassword" } response ="http://yourdomain:port/login", headers=headers, data=data) def on_response(*args): print('on_response', json.dumps(args)) with SocketIO('yourdomain', port, LoggingNamespace, cookies=session.cookies.get_dict()) as s: s.emit('posts.reply', {'tid': 2, 'content': "Hello, World!"}, on_response) s.wait_for_callbacks(seconds=1)
  • 0 Votes
    1 Posts


    I know this was asked so much times on the forum, but I've actually a problem since I use the NodeJS build from Openshift. I saw everywhere that I had to change the nginx configuration file, but I don't how to achieve that with my current configuration.
    I tried to install nginx, but it failed to resolve the issue.

    So, I was thinking that someone found a fix or a way to edit nginx configuration with Openshift.

    Thank you for your attention,
    Best regards.

  • 2 Votes
    3 Posts

    @baris I started working on a more SEO friendly theme/plugin. I hoped I could keep all the changes within a lavender derived theme, but I cannot. Some changes will be in the core. FOr example, server side rendered pagination. I am looking for some advice on how to coordinate making changes in a theme and core nodebb?

  • 2 Votes
    13 Posts

    @baris Thanks Baris, that showed the issue, was using // as the URI instead of https which was incorrect apparently. 😆

    Plugin updated to 1.1.5 for 0.6.0 of NodeBB.