New install leaves me with session mismatch + invalid csrf



  • Ok, so there have been a couple of threads on installation issues.

    I was needing to spin up a new community next week for something anyway, so I went ahead and tried to work through this process.

    I created this document as I worked because the official documentation is outdated.

    Base CentOS 7 minimal
    Database: Mongo 3.2
    NVM v0.32.1
    NodeJS v7.2.0

    I have performed the check on v1.x.x, v1.3.0, and in this last instance straight from master.

    [root@bna-cmty ~]# cd /opt
    [root@bna-cmty opt]# git clone https://github.com/NodeBB/NodeBB nodebb
    Cloning into 'nodebb'...
    remote: Counting objects: 112978, done.
    remote: Compressing objects: 100% (170/170), done.
    remote: Total 112978 (delta 100), reused 2 (delta 2), pack-reused 112806
    Receiving objects: 100% (112978/112978), 34.93 MiB | 10.38 MiB/s, done.
    Resolving deltas: 100% (84801/84801), done.
    [root@bna-cmty opt]# cd nodebb
    [root@bna-cmty nodebb]# git branch
    * master
    [root@bna-cmty nodebb]# npm install
    npm WARN deprecated node-uuid@1.4.7: use uuid module instead
    npm WARN deprecated wrench@1.5.9: wrench.js is deprecated! You should check out fs-extra (https://github.com/jprichardson/node-fs-extra) for any operations you were using wrench for. Thanks for all the usage over the years.
    npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
    npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
    npm WARN deprecated graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
    nodebb@1.3.0 /opt/nodebb
    ├── async@1.5.2
    <snip>
    └── xregexp@3.1.1
    
    [root@bna-cmty nodebb]# ./nodebb setup
    1/12 10:04 [12807] - info: NodeBB Setup Triggered via Command Line
    
    Welcome to NodeBB!
    
    This looks like a new installation, so you'll have to answer a few questions about your environment before we can proceed.
    Press enter to accept the default setting (shown in brackets).
    URL used to access this NodeBB (http://localhost:4567) https://community.domain.com
    Please enter a NodeBB secret ()
    Which database to use (mongo)
    
    1/12 10:04 [12807] - info: Now configuring mongo database:
    Host IP or address of your MongoDB instance (127.0.0.1)
    Host port of your MongoDB instance (27017)
    MongoDB username dbusername
    Password of your MongoDB database
    MongoDB database name (nodebb)
    Configuration Saved OK
    1/12 10:04 [12807] - info: [database] Checking database indices.
    1/12 10:04 [12807] - info: [database] Checking database indices done!
    Populating database with default configs, if not already set...
    Enabling default theme: nodebb-theme-persona
    No categories found, populating instance with default categories
    1/12 10:04 [12807] - warn: No administrators have been detected, running initial user setup
    
    Administrator username username
    Administrator email address username@domain.com
    Password
    Confirm Password
    Creating welcome post!
    Enabling default plugins
    1/12 10:05 [12807] - info: [install/defaultPlugins] customDefaults
    1/12 10:05 [12807] - info: [install/enableDefaultPlugins] activating default plugins 0=nodebb-plugin-composer-default, 1=nodebb-plugin-markdown, 2=nodebb-plugin-mentions, 3=nodebb-widget-essentials, 4=nodebb-rewards-essentials, 5=nodebb-plugin-soundpack-default, 6=nodebb-plugin-emoji-extended, 7=nodebb-plugin-emoji-one
    1/12 10:05 [12807] - info: Beginning database schema update
    1/12 10:05 [12807] - info: [2015/12/15] Chats upgrade skipped!
    1/12 10:05 [12807] - info: [2015/12/23] Chats room hashes upgrade skipped!
    1/12 10:05 [12807] - info: [2015/12/23] Adding theme to active plugins sorted set skipped!
    1/12 10:05 [12807] - info: [2016/01/14] Creating user best post sorted sets skipped!
    1/12 10:05 [12807] - info: [2016/01/20] Creating users:notvalidated skipped!
    1/12 10:05 [12807] - info: [2016/01/23] Creating Global moderators group skipped!
    1/12 10:05 [12807] - info: [2016/02/25] Social: Post Sharing skipped!
    1/12 10:05 [12807] - info: [2016/04/14] Group title from settings to user profile skipped!
    1/12 10:05 [12807] - info: [2016/04/19] Users post count per tid skipped!
    1/12 10:05 [12807] - info: [2016/04/29] Dismiss flags from deleted topics skipped!
    1/12 10:05 [12807] - info: [2016/05/28] Giving topics:read privs to any group that was previously allowed to Find & Access Category - skipped!
    1/12 10:05 [12807] - info: [2016/06/13] Store upvotes/downvotes separately skipped!
    1/12 10:05 [12807] - info: [2016/07/12] Upload privileges skipped!
    1/12 10:05 [12807] - info: [2016/08/05] Removing best posts with negative scores skipped!
    1/12 10:05 [12807] - info: [2016/08/07] Granting edit/delete/delete topic on existing categories - skipped!
    1/12 10:05 [12807] - info: [2016/09/22] Setting category recent tids - skipped!
    1/12 10:05 [12807] - info: [2016/10/8] favourite -> bookmark refactor - skipped!
    1/12 10:05 [12807] - info: [2016/10/14] Creating sorted sets for post replies - skipped!
    1/12 10:05 [12807] - info: [2016/11/22] Update global and user language keys - skipped!
    1/12 10:05 [12807] - info: [2016/11/25] Creating sorted sets for pinned topcis
    1/12 10:05 [12807] - info: [2016/11/25] Creating sorted sets for pinned topics - done
    1/12 10:05 [12807] - info: [upgrade] Schema update complete!
    1/12 10:05 [12807] - info: [database] Checking database indices.
    1/12 10:05 [12807] - info: [database] Checking database indices done!
    1/12 10:05 [12807] - info: [build] Building javascript
    1/12 10:05 [12807] - info: [build] Building client-side CSS
    1/12 10:05 [12807] - info: [build] clientCSS => Completed in 7.597s
    1/12 10:05 [12807] - info: [build] Building admin control panel CSS
    1/12 10:05 [12807] - info: [build] acpCSS => Completed in 3.882s
    1/12 10:05 [12807] - info: [build] Building templates
    1/12 10:05 [12807] - info: [build] tpl => Completed in 0.188s
    1/12 10:05 [12807] - info: [build] js => Completed in 15.56s
    1/12 10:05 [12807] - info: [build] Asset compilation successful. Completed in 15.901s.
    
         ======================================================================================================================
    
    NodeBB Setup Completed. Run './nodebb start' to manually start your NodeBB server.
    [root@bna-cmty nodebb]# ./nodebb start
    
    Starting NodeBB
      "./nodebb stop" to stop the NodeBB server
      "./nodebb log" to view server output
      "./nodebb restart" to restart NodeBB
    
    [root@bna-cmty nodebb]# (node:13050) DeprecationWarning: Calling an asynchronous function without callback is deprecated.
    
    [root@bna-cmty nodebb]#
    

    Navigate to URL and page loads.
    0_1480609485759_upload-994acd91-b433-409d-a927-5dcbdb76f473

    Click on Login and receive session mismatch
    0_1480608576691_upload-ca4735e6-d2a2-4c70-be76-4e297e2a3aca

    Click OK, enter admin credentials, receive csfr error.
    0_1480609633148_upload-a85f96d1-7420-451c-881e-6dcb54714930



  • The only thing in the log is the csrf error.

    [root@bna-cmty nodebb]# ./nodebb log
    
    Hit Ctrl-C to exit
    
    tail: cannot open ‘./logs/output.log’ for reading: No such file or directory
    tail: ‘./logs/output.log’ has appeared;  following end of new file
    
    NodeBB v1.3.0 Copyright (C) 2013-2014 NodeBB Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under certain conditions.
    For the full license, please visit: http://www.gnu.org/copyleft/gpl.html
    
    Clustering enabled: Spinning up 1 process(es).
    
    1/12 10:07 [13060] - info: Time: Thu Dec 01 2016 10:07:10 GMT-0600 (CST)
    1/12 10:07 [13060] - info: Initializing NodeBB v1.3.0
    1/12 10:07 [13060] - info: [database] Checking database indices.
    1/12 10:07 [13060] - info: [database] Checking database indices done!
    1/12 10:07 [13060] - info: initializing NodeBB ...
    1/12 10:07 [13060] - info: [plugins/emoji-one] Initial startup detected. Downloading emojione assets...
    
    1/12 10:07 [13060] - warn: [plugins/load] The following plugins may not be compatible with your version of NodeBB. This may cause unintended behaviour or crashing. In the event of an unresponsive NodeBB caused by this plugin, run `./nodebb reset -p PLUGINNAME` to disable it.
      * nodebb-plugin-composer-default
    
    1/12 10:07 [13060] - info: Routes added
    1/12 10:07 [13060] - info: NodeBB Ready
    1/12 10:07 [13060] - info: Enabling 'trust proxy'
    1/12 10:07 [13060] - info: NodeBB is now listening on: 0.0.0.0:4567
    1/12 10:07 [13060] - info: [plugins/emoji-one] Emoji are ready.
    1/12 10:10 [13060] - error: /login
     invalid csrf token
    


  • Nuked the install and used v1.2.0 and the Session mismatch is gone, but the csrf is still around.

    I changed the socket.io version as mentioned in this https://github.com/NodeBB/NodeBB/issues/5241

    and session error came back.

    So this leads me to believe it is an issues with the versions of something installed.

    Is there some level of Node that I should revert back to as a whole instead of using 7.2.0?

    [root@bna-cmty nodebb]# npm version
    { nodebb: '1.2.0',
      npm: '3.10.9',
      ares: '1.10.1-DEV',
      cldr: '30.0.2',
      http_parser: '2.7.0',
      icu: '58.1',
      modules: '51',
      node: '7.2.0',
      openssl: '1.0.2j',
      tz: '2016g',
      unicode: '9.0',
      uv: '1.10.1',
      v8: '5.4.500.43',
      zlib: '1.2.8' }
    [root@bna-cmty nodebb]#
    


  • Anecdotally, I have no issues with the LTS release of node.



  • @teh_g said in New install leaves me with session mismatch + invalid csrf:

    Anecdotally, I have no issues with the LTS release of node.

    6.9.1?

    0_1480621314111_upload-b436e709-7ad5-401c-90e2-1d6b36038fba



  • @JaredBusch Yup, that is what I am using:

    0_1480621349322_upload-ad3e6d7d-42f8-4a00-8a25-9c0a80a086b0



  • Installed v6.9.1 with 1.3.0 and it all worked once I modified src/meta/js.js to have the new path.

    Deleted the nodebb folder and dropped the database.

    installed 7.2.0 along side 6.9.1 via nvm install v7.2.0
    0_1480626320682_upload-33a780a8-e2ce-4031-9dae-79f4bf646301

    cloned master

    ran setup

    it all works this time.



  • I spoke too soon.

    I logged out of the site to try and make a new account and immediately received the session mismatch error.

    Then when I tried to log back in with the admin account I received a csrf token error.



  • @teh_g said in New install leaves me with session mismatch + invalid csrf:

    @JaredBusch Yup, that is what I am using:

    0_1480621349322_upload-ad3e6d7d-42f8-4a00-8a25-9c0a80a086b0

    a new install using node 6.9.1 still sets up socket.io-client higher than 1.7.0 and that requires the path change that was in src/meta/js.js



  • Brand new VM (and this time I made a snapshot prior to installing NPM)

             v6.9.1   (Latest LTS: Boron)
             v7.0.0
             v7.1.0
             v7.2.0
    [root@bna-cmty ~]# nvm install v6.9.1
    ######################################################################## 100.0%
    Computing checksum with sha256sum
    Checksums matched!
    Now using node v6.9.1 (npm v3.10.8)
    Creating default alias: default -> v6.9.1
    [root@bna-cmty ~]# cd /opt
    [root@bna-cmty opt]# git clone -b v1.x.x https://github.com/NodeBB/NodeBB nodebb
    Cloning into 'nodebb'...
    remote: Counting objects: 113047, done.
    remote: Compressing objects: 100% (237/237), done.
    remote: Total 113047 (delta 141), reused 2 (delta 2), pack-reused 112806
    Receiving objects: 100% (113047/113047), 34.95 MiB | 10.35 MiB/s, done.
    Resolving deltas: 100% (84842/84842), done.
    [root@bna-cmty opt]# cd nodebb
    [root@bna-cmty nodebb]# git branch
    * v1.x.x
    
    [root@bna-cmty nodebb]# npm version
    { nodebb: '1.4.0',
      npm: '3.10.8',
      ares: '1.10.1-DEV',
      http_parser: '2.7.0',
      icu: '57.1',
      modules: '48',
      node: '6.9.1',
      openssl: '1.0.2j',
      uv: '1.9.1',
      v8: '5.1.281.84',
      zlib: '1.2.8' }
    [root@bna-cmty nodebb]#
    
    [root@bna-cmty nodebb]# ./nodebb log
    
    Hit Ctrl-C to exit
    
    tail: cannot open ‘./logs/output.log’ for reading: No such file or directory
    tail: ‘./logs/output.log’ has appeared;  following end of new file
    
    NodeBB v1.4.0 Copyright (C) 2013-2014 NodeBB Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it under certain conditions.
    For the full license, please visit: http://www.gnu.org/copyleft/gpl.html
    
    Clustering enabled: Spinning up 1 process(es).
    
    1/12 18:27 [12259] - info: Time: Thu Dec 01 2016 18:27:14 GMT-0600 (CST)
    1/12 18:27 [12259] - info: Initializing NodeBB v1.4.0
    1/12 18:27 [12259] - info: [database] Checking database indices.
    1/12 18:27 [12259] - info: [database] Checking database indices done!
    1/12 18:27 [12259] - info: initializing NodeBB ...
    1/12 18:27 [12259] - info: [plugins/emoji-one] Initial startup detected. Downloading emojione assets...
    1/12 18:27 [12259] - info: Routes added
    1/12 18:27 [12259] - info: NodeBB Ready
    1/12 18:27 [12259] - info: Enabling 'trust proxy'
    1/12 18:27 [12259] - info: NodeBB is now listening on: 0.0.0.0:4567
    1/12 18:27 [12259] - info: [plugins/emoji-one] Emoji are ready.
    1/12 18:32 [12259] - error: /login
     invalid csrf token
    

    0_1480638890529_upload-9904b93e-683e-4621-9f90-696922234ae0



  • I get these errors either through the Nginx proxy I have in front of it (on another VM)

    or direct local IP http://10.254.0.35:4567
    0_1480639368627_upload-ffbed6f6-20ae-4836-9469-84aa061072a1



  • New VM and used Node 4.6.2 and NodeBB 1.x.x (which now pulls 1.4.0)

    Same problems.

    There has to be something else causing the problem.

    So any ideas on where I can look to track it down.

    Again, I followed these instructions (that I wrote based on the official docs): https://mangolassi.it/topic/11695/installing-nodebb-with-mongo-on-centos-7


  • GNU/Linux

    Seems like similar error which I've been experiencing lately (although I'm not using CentOs): https://community.nodebb.org/topic/9886/invalid-csrf-token/3

    Perhaps we can figure it out together. Have you tried using older version like 1.1.2?



  • I am seeing the same issue here. I have tried 1.4.0 with both Node 7.2.1 and 6.9.2 on a Ubuntu VM with Redis.

    The problem seems to be with the url. NodeBB does not seem to like https://domain.com url. It worked fine when I reverted back to the default http://localhost:4567 but using the localhost URL means assets required by plugins such as emoji are not serving correctly.

    This seems to be a pretty critical bug. Any way to prioritize a fix for it?

    Thank you!


  • Community Rep

    What are you using for your url in config.json?



  • This is the value of url I was trying to use: "url": "https://forums.coinfetch.com".


  • Community Rep

    @tin Are you using nginx or apache? Can you post your config.



  • @yariplus

    We're using Nginx. Here is the config

    upstream io_nodes {
      ip_hash;
      server 127.0.0.1:4567;
      server 127.0.0.1:4568;
      server 127.0.0.1:4569;
      server 127.0.0.1:4570;
    }
    
    server {
      listen 80;
      server_name forums.coinfetch.com;
      charset utf-8;
    
      location /health_check {
        proxy_next_upstream error;
        proxy_redirect off;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://io_nodes;
        break;
      }
    
      proxy_next_upstream error;
      proxy_redirect off;
      proxy_set_header Host $http_host; 
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-NginX-Proxy true;
      proxy_set_header X-Real-IP $remote_addr;
      if ($http_x_forwarded_proto != "https") {
        return 301 https://$host$request_uri;
      }
      
      # Socket.IO Support
      proxy_http_version 1.1;
      proxy_set_header Connection "upgrade";
      proxy_set_header Upgrade $http_upgrade;
      
      gzip on;
      gzip_comp_level 5;
      gzip_min_length 1000;
      gzip_proxied any;
      gzip_types *;
    
      location @nodebb {
        proxy_pass http://io_nodes;
      }
    
      location ~ ^/(images|language|sounds|templates|uploads|vendor|src\/modules|nodebb\.min\.js|stylesheet\.css|admin\.css) {
        root /var/www/coinfetchbb/;
        try_files $uri $uri/ @nodebb;
      }
    
      location / {
        proxy_pass http://io_nodes;
      }    
    
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
    }
    
    

  • Community Rep

    Are you running the server behind an AWS load balancer?


  • Admin

    Your nginx config suggests it is listening on port 80, whereas your config is set up with https... that will cause a session mismatch error.


Log in to reply
 


Looks like your connection to NodeBB was lost, please wait while we try to reconnect.