Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: CSRF token missing 馃悰 #492

Open
JamieSlome opened this issue Mar 22, 2024 · 5 comments 路 Fixed by #499
Open

Error: CSRF token missing 馃悰 #492

JamieSlome opened this issue Mar 22, 2024 · 5 comments 路 Fixed by #499
Assignees
@JamieSlome
Labels
bug Something isn't working

Comments

@JamieSlome
Copy link
Member

JamieSlome commented Mar 22, 2024
edited

Describe the bug

When logging in via the UI, the following error is received:

Error: CSRF token missing
 at checkCsrf (.../git-proxy/node_modules/lusca/lib/csrf.js:169:18)

To Reproduce

  1. Checkout to the reconcile branch
  2. Go to /login via the UI
  3. Enter admin & admin for username and password credentials
  4. Submit login form
  5. View locally running logs on dev machine

Additional context

CSRF added in PR: #462
@JamieSlome JamieSlome added the bug Something isn't working label Mar 22, 2024
@JamieSlome
Copy link
Member Author

@vaibssingh - heads up on the above 猡达笍 馃憤

JamieSlome added a commit that referenced this issue Mar 22, 2024
@JamieSlome
fix: remove lusca csrf module and app configuration due to breakage #492
ce09e59
@JamieSlome JamieSlome mentioned this issue Mar 22, 2024
Merged
@JamieSlome JamieSlome self-assigned this Mar 22, 2024
@JamieSlome JamieSlome mentioned this issue Mar 22, 2024
Closed
@JamieSlome JamieSlome linked a pull request Mar 22, 2024 that will close this issue
Re-introduce CSRF protection with Lusca 鉂わ笍 #497
Closed
@JamieSlome JamieSlome mentioned this issue Mar 22, 2024
Merged
@JamieSlome JamieSlome reopened this Mar 25, 2024
@JamieSlome
Copy link
Member Author

@vaibssingh - reopening this. Are we able to take a look at this issue on the reconcile branch and open a pull request pointing there instead of main?

Thanks for your time today 鉂わ笍

@JamieSlome
Copy link
Member Author

Reference: nextauthjs/next-auth#88

@JamieSlome
Copy link
Member Author

This blog has been the most useful in getting CSRF setup, I am getting ever closer:

https://medium.com/@sakshi_13861/in-depth-guide-to-counteracting-cross-site-request-forgery-csrf-in-expressjs-8fbe3c36691d

@JamieSlome
Copy link
Member Author

@vaibssingh @maoo - I discovered the fix 馃挭 At the app configuration level, lusca should be set directly after the session has been configured:

app.use(session({ ... }));

app.use(
  lusca({
    csrf: {
      cookie: { name: '_csrf' },
      secret: 'qwerty', // will be configurable via proxy.config.json
    },
    hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
    nosniff: true,
    referrerPolicy: 'same-origin',
    xframe: 'SAMEORIGIN',
    xssProtection: true,
  }),
);

At each authorised invocation of the API, for example login and logout, the CSRF token stored as a cookie on the client should be retrieved and sent back to the server via the X-CSRF-TOKEN header:

const csrfToken = getCookie('_csrf'); // get CSRF token from Cookies

axios
  .post(
    loginUrl,
    {
      username: username,
      password: password,
    },
    {
      withCredentials: true,
      headers: {
        'Content-Type': 'application/json',
        'X-CSRF-TOKEN': csrfToken, // enforces CSRF protection
      },
    },
  )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JamieSlome JamieSlome

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
1 participant
@JamieSlome