H
@PitaJ @julian
Apologies for not replying and thank you for the suggestions!
I figured out the issue with csrf. I had to set the config url to be that of my client app instead of the nodebb instance.
Using this I'm able to request the csrf token from the config endpoint and use that in subsequent requests.
Thanks for your response @PitaJ !
Yes I'm setting the csrf token like that
The NextJS rewrite is server-side. The NextJS server rewrites some paths (e.g. myapp.com/api/users) to point to by NodeBB instance (e.g. mynodebb.com/api/users), essentially it's a proxy so I don't have to mess with CORS.
I'm already using fetch 
Having said all this I figured out the issue. I needed to set the canonical url in NodeBB config to be my frontend URL, not the URL at which NodeBB is served.
So I fixed the csrf token issue and now I have another issue 🫠...
I can login but the endpoint always returns a 404 error.
My plugin adds a new auth endpoint (/auth/lit-protocol) which adds a new passport login strategy but I always get a 404 even though I get logged in to NodeBB.
I'm trying to use NodeBB as a headless forum (i.e. just a REST API with a separate front end) but keep getting an "invalid csrf token" error when I try to authenticate.
I've confirmed I can authenticate via the NodeBB UI on the same instance.
I've also tried getting the NodeBB config and using the csrf token from there in my requests but it still does not work.
My frontend is a NextJS app that rewrites all /api/:path* requests to http://<MY-NODE-BB-INSTANCE>/api/:path*. It also rewrites the auth paths.
I can see the requests reach NodeBB but always get "invalid csrf token".
I've verified that I can successfully call GET endpoints from my app, e.g. I can get the user list from /api/users.
