Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connect Module, Error: Forbidden #702

Closed
akhoury opened this issue Dec 30, 2013 · 29 comments
Closed

connect Module, Error: Forbidden #702

akhoury opened this issue Dec 30, 2013 · 29 comments
Labels
bug
Milestone
0.5.2

Comments

@akhoury
Copy link
Member

akhoury commented Dec 30, 2013

occasionally, I see this, it doesn't crash NodeBB, but it annoys me

info: [Auth] Session -R2aX7ifnT_L6bQ7vHUcXFqV logout (uid: 1)
Error: Forbidden
    at Object.exports.error (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/utils.js:60:13)
    at Object.handle (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.session [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/session.js:302:7)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.cookieParser [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/cookieParser.js:60:5)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at multipart (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/multipart.js:60:27)
    at /home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/bodyParser.js:57:9
    at IncomingMessage.<anonymous> (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/urlencoded.js:70:11)
Error: Forbidden
    at Object.exports.error (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/utils.js:60:13)
    at Object.handle (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.session [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/session.js:302:7)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.cookieParser [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/cookieParser.js:60:5)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at multipart (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/multipart.js:60:27)
    at /home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/bodyParser.js:57:9
    at IncomingMessage.<anonymous> (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/urlencoded.js:70:11)
Error: Forbidden
    at Object.exports.error (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/utils.js:60:13)
    at Object.handle (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.session [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/session.js:302:7)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.cookieParser [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/cookieParser.js:60:5)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at multipart (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/multipart.js:60:27)
    at /home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/bodyParser.js:57:9
    at IncomingMessage.<anonymous> (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/urlencoded.js:70:11)
Error: Forbidden
    at Object.exports.error (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/utils.js:60:13)
    at Object.handle (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.session [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/session.js:302:7)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.cookieParser [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/cookieParser.js:60:5)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at multipart (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/multipart.js:60:27)
    at /home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/bodyParser.js:57:9
    at IncomingMessage.<anonymous> (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/urlencoded.js:70:11)
Error: Forbidden
    at Object.exports.error (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/utils.js:60:13)
    at Object.handle (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.session [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/session.js:302:7)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.cookieParser [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/cookieParser.js:60:5)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at multipart (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/multipart.js:60:27)
    at /home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/bodyParser.js:57:9
    at IncomingMessage.<anonymous> (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/urlencoded.js:70:11)
Error: Forbidden
    at Object.exports.error (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/utils.js:60:13)
    at Object.handle (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.session [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/session.js:302:7)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.cookieParser [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/cookieParser.js:60:5)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at multipart (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/multipart.js:60:27)
    at /home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/bodyParser.js:57:9
    at IncomingMessage.<anonymous> (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/urlencoded.js:70:11)
info: [Auth] Session -R2aX7ifnT_L6bQ7vHUcXFqV logout (uid: 2)

Want to back this issue? Place a bounty on it! We accept bounties via Bountysource.
@julianlam
Copy link
Member

You're not the only one, I've seen reports of it on IRC as well. However, we have never been able to narrow it down to a specific set of reproduction steps, so that is a prerequisite before we can begin triaging this CSRF error.

@akhoury
Copy link
Member Author

akhoury commented Dec 30, 2013

fyi- it may have caused a memory issue, or it could be something else leaking, not sure yet,

Error: Forbidden
    at Object.exports.error (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/utils.js:60:13)
    at Object.handle (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.session [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/session.js:302:7)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at Object.cookieParser [as handle] (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/cookieParser.js:60:5)
    at next (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at multipart (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/multipart.js:60:27)
    at /home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/bodyParser.js:57:9
    at IncomingMessage.<anonymous> (/home/admin/NodeBB/node_modules/express/node_modules/connect/lib/middleware/urlencoded.js:70:11)
FATAL ERROR: CALL_AND_RETRY_2 Allocation failed - process out of memory

@julianlam
Copy link
Member

Just thinking out loud... It could be related to long sessions... The CSRF
token changes each time it is used (to prevent repeat attacks, I'd
imagine), so if someone were still on NodeBB after the token has changed,
it would result in these kinds of errors...

@barisusakli
Copy link
Member

So it would happen if you change code on server side and supervisor restarts causing the csrf change, then if you don't reload browser and make an ajax call it would say forbidden?

@julianlam
Copy link
Member

Yes, this would do it.

@akhoury
Copy link
Member Author

akhoury commented Dec 30, 2013

this would do it, but it's not exclusive, I just saw again now, while tailing forever log, no restart occurred, no code change either :/

@akhoury
Copy link
Member Author

akhoury commented Jan 7, 2014

this is spamming logs overnight :/ logs and at some point NodeBB becomes unresponsive with no error in the logs
i had to forever restartall

@barisusakli
Copy link
Member

I wonder if it has something to do with express/connect versions, we didn't had this problem couple months ago.

@barisusakli
Copy link
Member

https://github.com/senchalabs/connect/blob/master/lib/middleware/csrf.js#L82

Is what is sending the 403 maybe put some console.logs there to see the token/val.

@julianlam
Copy link
Member

Looks like express changed the way CSRF token were handled? Gee, thanks, I thought this was exactly what semver was supposed to protect against.

I'm not impressed.

@barisusakli
Copy link
Member

http://stackoverflow.com/questions/20484649/csrf-token-not-working-when-submitting-form-in-express heh not sure if this will fix it but worth a shot

@julianlam
Copy link
Member

May as well update package.json to express ~3.4.7

@akhoury
Copy link
Member Author

akhoury commented Jan 7, 2014

will try that tonight thanks

@akhoury
Copy link
Member Author

akhoury commented Jan 9, 2014

no luck with express ~3.4.7 solving these errors, but hoping for the weird slow responsiveness to go away.

@barisusakli
Copy link
Member

Time to post at https://github.com/visionmedia/express/issues 😄

@barisusakli
Copy link
Member

Not sure if this is it but we put the csrf token in the header.tpl in nodebb and then it doesn't change at all until the page is refreshed? Aren't we supposed to get a new one for each post request?

Also might be relevant :
senchalabs/connect#866

@julianlam
Copy link
Member

Also tried upgrading to 3.4.7, and am getting req.session._csrf is deprecated, use req.csrfToken() instead, which is peculiar, because I removed the only reference to req.session._csrf. It's possible one of our dependencies is using it, but a cursory search of node_modules didn't find anything.

@barisusakli
Copy link
Member

I read that it is the JSON.stringify in the session middleware. expressjs/express#1741

@barisusakli
Copy link
Member

@akhoury are you by any chance on any other nodebb instances when this happens?

@akhoury
Copy link
Member Author

akhoury commented Jan 21, 2014

hmm well, yea, i've seen it locally too.

My not be related, but my current solution is a cron job that restarts the forum every hour :/ - im loosing memory somewhere.

I'm still on 0.2.1 in Production, I see you pushed this issue to 0.3.1, good, waiting for 0.3.0. I'm going to update then i'll feed you back.

@akhoury
Copy link
Member Author

akhoury commented Jan 27, 2014

still happening

@barisusakli
Copy link
Member

senchalabs/connect@138b21c some interesting discussions there. Can you try lowering your max age on cookies to a few minutes and try to get the errors again?

@akhoury
Copy link
Member Author

akhoury commented Jan 27, 2014

sure

@julianlam julianlam modified the milestones: 0.3.2, 0.4.0 Feb 3, 2014
@julianlam julianlam mentioned this issue Feb 9, 2014
Closed
@julianlam julianlam modified the milestones: 0.4.1, 0.3.2 Feb 14, 2014
@barisusakli
Copy link
Member

Could this be the apple icon see #977
Since requests to that file didnt have the session maybe csrf check was failing for all those requests?

@julianlam
Copy link
Member

Doubtful -- CSRF doesn't trigger on GETs...

Refactoring so that CSRF is added in a middleware may be better (since we
use it so sparingly anyway)

Thanks,

Julian Lam

On Fri, Feb 14, 2014 at 11:17 AM, Barış Soner Uşaklı <
notifications@github.com> wrote:

Could this be the apple icon see #977#977
Since requests to that file didnt have the session maybe csrf check was
failing for all those requests?


Reply to this email directly or view it on GitHubhttps://github.com//issues/702#issuecomment-35098075
.

@barisusakli barisusakli mentioned this issue Feb 14, 2014
Closed
@julianlam julianlam modified the milestones: 0.4.0, 0.4.1 Feb 18, 2014
@julianlam
Copy link
Member

Just wondering... @akhoury, are you still seeing these errors?

@akhoury
Copy link
Member Author

akhoury commented Feb 20, 2014

a lot less frequent, im going to say 2-3 times per day based on a quick scan of the logs.
but im on 0.3.1

@akhoury akhoury mentioned this issue Feb 21, 2014
Closed
@barisusakli barisusakli modified the milestones: 0.4.1, 0.4.0 Mar 13, 2014
@jsanchezramos
Copy link

Hello, I'm implementing a lti module and I feel the same, is there any solution?.

thanks

@barisusakli barisusakli modified the milestones: 0.5.0, 0.4.2 Apr 28, 2014
@barisusakli barisusakli modified the milestones: 0.5.1, 0.5.0 Jun 10, 2014
@julianlam
Copy link
Member

Since express 4 rolled around and was implemented, does this happen, still?

@barisusakli barisusakli modified the milestones: 0.5.2, 0.5.1 Sep 17, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
0.5.2
Development

No branches or pull requests
4 participants
@julianlam @akhoury @jsanchezramos @barisusakli