The CSRF token is invalid. Can't figure out what is wrong

[Turum]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

import os
import sys

import aiohttp
import asyncio
import logging
from django.core.asgi import get_asgi_application
from fastapi import FastAPI, Request, Form, UploadFile, Depends, Response
from fastapi.responses import HTMLResponse, JSONResponse
from fastapi.templating import Jinja2Templates
from fastapi.staticfiles import StaticFiles
from starlette.applications import Starlette
from starlette.routing import Mount, Router
from fastapi_csrf_protect.exceptions import TokenValidationError, InvalidHeaderError
from channels.auth import AuthMiddlewareStack
from channels.routing import ProtocolTypeRouter, URLRouter
from channels.layers import get_channel_layer
from django.urls import path
from fastapi_csrf_protect import CsrfProtect
from django.shortcuts import render
import secrets
from fastapi_csrf_protect import CsrfProtect
from fastapi_csrf_protect.exceptions import CsrfProtectError
from pydantic import BaseModel

django_asgi = get_asgi_application()
fastapi_app = FastAPI(debug=True)
templates_dir = os.path.join(os.path.dirname(__file__), '..', 'web_tool', 'templates', 'web_tool')
templates = Jinja2Templates(directory=templates_dir)
static_path = os.path.join(os.path.dirname(os.path.dirname(__file__)), 'web_tool', 'static')

logging.basicConfig(level=logging.DEBUG)
logger = logging.getLogger(__name__)


class CsrfSettings(BaseModel):
    secret_key: str = f"{secrets.token_urlsafe(32)}"
    cookie_samesite: str = "lax"
    cookie_samesite: str = "none"
    cookie_secure: bool = True


@CsrfProtect.load_config
def get_csrf_config():
    return CsrfSettings()


def generate_csrf_token() -> str:
    return secrets.token_urlsafe(32)


@fastapi_app.get("/csrf-token")
async def get_csrf_token(response: Response):
    csrf_token = secrets.token_urlsafe(32)
    response.set_cookie(
        key="fastapi-csrf-token",
        value=csrf_token,
        httponly=True,
        samesite='lax',
        secure=False
    )
    logger.debug(f"CSRF Token Issued: {csrf_token}")
    return JSONResponse({"csrf_token": csrf_token})


@fastapi_app.get("/account_management")
async def get_account_management(request: Request, csrf_protect: CsrfProtect = Depends()):
    csrf_token, signed_token = csrf_protect.generate_csrf_tokens()
    return templates.TemplateResponse(
        'account_management.html',
        {"request": request, "csrf_token": csrf_token}
    )
    csrf_protect.set_csrf_cookie(signed_token, response)
    return response


@fastapi_app.post("/account_management", response_class=JSONResponse)
async def post_account_management(request: Request,
                                  csrf_protect: CsrfProtect = Depends(),
                                  account_ids: str = Form(None),
                                  file: UploadFile = None,
                                  acc_operation: str = Form(None),
                                  acc_action: str = Form(None)
                                  ):
    try:
        try:
            logger.debug(f"Request Headers: {request.headers}")
            logger.debug(f"Request Cookies: {request.cookies}")
            logger.debug(f"Received CSRF Token from Headers: {request.headers.get('X-CSRF-Token')}")
            logger.debug(f"Received CSRF Token from Cookies: {request.cookies.get('fastapi-csrf-token')}")
            await csrf_protect.validate_csrf(request)
            logger.debug("CSRF token validation passed")
        except (CsrfProtectError, InvalidHeaderError, TokenValidationError) as e:
            logger.error(f"CSRF Token error: {e}")
            return JSONResponse(status_code=e.status_code, content={"detail": e.message})           
        return JSONResponse(status_code=e.status_code, content={"detail": e.message})
    except (CsrfProtectError, InvalidHeaderError, TokenValidationError, Exception) as e:
        logger.error(f"CSRF Token Validation Error: {str(e)}")
        return JSONResponse(status_code=e.status_code, content={"detail": e.message})

@fastapi_app.exception_handler(CsrfProtectError)
def csrf_protect_exception_handler(request: Request, exc: CsrfProtectError):
    return JSONResponse(status_code=exc.status_code, content={"detail": exc.message})


# Define WebSocket routes
websocket_routes = [
    path('ws/acc_management_progress/<str:task_id>/', AccountStatusConsumer.as_asgi()),
]


class CustomASGIApp:
    def __init__(self):
        self.django_app = django_asgi
        self.fastapi_app = Mount("/fastapi", app=fastapi_app)

    async def __call__(self, scope, receive, send):
        if scope["type"] == "http" and scope["path"].startswith("/fastapi"):
            await self.fastapi_app(scope, receive, send)
        else:
            await self.django_app(scope, receive, send)


application = ProtocolTypeRouter({
    "http": CustomASGIApp(),  # Custom app that directs requests correctly
    "websocket": AuthMiddlewareStack(URLRouter(websocket_routes)),
})

Description

Hello team.
I can't figure out what's wrong. The logs show that the tokens are the same, but the token validation fails. Can you give me a hint?

INFO:     127.0.0.1:62582 - "GET /favicon.ico HTTP/1.1" 404 Not Found
DEBUG:mmo_web_tool.asgi:CSRF Token Issued: 76RTQWf9frgRpQ4UtltableTAvczx_T1oEPVe6B-a-U
INFO:     127.0.0.1:62582 - "GET /fastapi/csrf-token HTTP/1.1" 200 OK
DEBUG:mmo_web_tool.asgi:Request Headers: Headers({'host': '127.0.0.1:8000', 'connection': 'keep-alive', 'content-length': '856', 'sec-ch-ua': '"Chromium";v="124", "Google Chro
me";v="124", "Not-A.Brand";v="99"', 'content-type': 'multipart/form-data; boundary=----WebKitFormBoundaryAs74w2tT8geZtJ2A', 'x-csrf-token': '76RTQWf9frgRpQ4UtltableTAvczx_T1oE
PVe6B-a-U', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36', 'sec-ch-
ua-platform': '"Windows"', 'accept': '*/*', 'origin': 'http://127.0.0.1:8000', 'sec-fetch-site': 'same-origin', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', 'referer':
 'http://127.0.0.1:8000/fastapi/account_management', 'accept-encoding': 'gzip, deflate, br, zstd', 'accept-language': 'ru,en-US;q=0.9,en;q=0.8,ru-RU;q=0.7', 'cookie': 'fastapi-csrf-token=76RTQWf9frgRpQ4UtltableTAvczx_T1oEPVe6B-a-U; csrftoken=jGzOzYiGmGcLOjPuSiTGVHoVIcfn82u2; sessionid=sfgjvzah4zl0zvy0fe01g4krbub6zdnb'})
DEBUG:mmo_web_tool.asgi:Request Cookies: {'fastapi-csrf-token': '76RTQWf9frgRpQ4UtltableTAvczx_T1oEPVe6B-a-U', 'csrftoken': 'jGzOzYiGmGcLOjPuSiTGVHoVIcfn82u2', 'sessionid': 'sfgjvzah4zl0zvy0fe01g4krbub6zdnb'}
DEBUG:mmo_web_tool.asgi:Received CSRF Token from Headers: 76RTQWf9frgRpQ4UtltableTAvczx_T1oEPVe6B-a-U
DEBUG:mmo_web_tool.asgi:Received CSRF Token from Cookies: 76RTQWf9frgRpQ4UtltableTAvczx_T1oEPVe6B-a-U
ERROR:mmo_web_tool.asgi:CSRF Token error: The CSRF token is invalid.
INFO:     127.0.0.1:62582 - "POST /fastapi/account_management HTTP/1.1" 401 Unauthorized
INFO:     connection closed
INFO:     ('127.0.0.1', 62584) - "WebSocket /ws/acc_management_progress/46c4fd89-ac52-42f0-8652-6a6b174a501b/" [accepted]
WARNING:  StatReload detected changes in 'mmo_web_tool\asgi.py'. Reloading...

Operating System

Windows

Operating System Details

Windows 11

FastAPI Version

0.110.3

Pydantic Version

2.7.1

Python Version

Python 3.10.6

Additional Context

No response

[YuriiMotov]

As I see you have two csrf tokens:

1. fastapi-csrf-token, generated by secrets.token_urlsafe(32)
2. csrftoken, generated by csrf_protect.generate_csrf_tokens()

csrf_protect.validate_csrf(request) expects that you pass csrftoken in the x-csrf-token, but in your request you put fastapi-csrf-token into this header parameter.

So, I think you should send csrftoken instead of fastapi-csrf-token in the x-csrf-token header

[Turum]

Yes, it helped. Thank you.