Error fetching crsf token with sails and ember on different host

[tibotiber]

Hi. Thanks again for the work.
It seems your REST adapter is trying to fetch a csrf token from the ember host, not the sails host. GET requests are ok but as soon as I POST, I get

GET http://dev.planecq.com:4200/csrfToken 404 (Not Found) 

and ...:4200 is my ember host, sails is on ...:1337.

[tibotiber]

Using the socket adapter, I get the following issue (csrf value is null):

[ed-sails] got a new CSRF token: null

That may be the same underlying issue but I'm still looking into it as there is no explicit debug available out of the box for this one. Thanks!

[tibotiber]

ping @huafu ;)

[tibotiber]

I got some time to look into it. For SailsRESTAdapter, I fixed it by building the url using the original RESTAdapter mixin: replaced '/csrfToken' in the ajax call by this.buildURL(null, null, null, null) + '/csrfToken'. It now calls the sails backend but I'm having some cors issue I don't have with other resources. The error is as follow:

XMLHttpRequest cannot load https://dev.planecq.com:1337/csrfToken. The 'Access-Control-Allow-Origin' header contains the invalid value ''. Origin 'http://dev.planecq.com:4200' is therefore not allowed access.

This is strange because my cors is enabled for http://dev.planecq.com:4200. Still need to look into it a bit more. Any idea?

As for the SailsSocketAdapter, it doesn't seem to be related since it goes to sails through the socket service. But i'm still getting a {_csrf: null} response. Weird again. Need to understand again. Any idea again? ;)

When all is ok, I can submit a PR for the fix of the SailsRESTAdapter if you want. This affect all url based settings such as host and namespace.

[huafu]

Sorry, got a deadline and had to work hard on another project ;-)

Now on this!

[tibotiber]

Ahah no problem. Been there 😛

[huafu]

@tibotiber can you test with b724222? (put this in package.json devDependencies: ember-data-sails: "huafu/ember-data-sails#b724222")

Please lemme know if it is ok, then I'll tag the version and publish it to npm so that you can use npm install --save-dev ember-data-sails

[tibotiber]

b724222 solved the host issue, perfect. Thanks. I'm closing this then 👍.

I'm still having the XMLHttpRequest cannot load ... for SailsRESTAdapter, and now a new error trying to get new CSRF token: Got an empty CSRF token from the server! for SailsSocketAdapter. I'm not sure at all this is related to your adapters though.. I'm gonna check this more and submit as an independent issue if needed. Do you have any idea by any chance?

[huafu]

I actually had the same issue locally. I created a bare new project and asked you to test because I thought I miss configured something on the sails side and got no time to dig into it.

The new message you see is just some more helpful information that I added. What happen is that sails returns a correct response (2xx) when asking for the CSRF token on GET /csrfToken, but the returned token is null in the response. So even if it was not a miss configuration of SailsJS on my side, I believe this is a SailsJS issue. In that case and you report an issue in SailsJS, please link this issue in the SailsJS issue ;-)

[tibotiber]

Yeah exactly my feeling as well. Thanks again for your help. Will look into this more when i get some time and submit to sailsjs as you recommend.

[tibotiber]

Hi @huafu, I finally got it. From sails' csrf config doc, csrf is normally activated by setting csrf: true in config/csrf.js and cors authorised origins in cors.js. However, the /csrf route is a special case, so to activate cors on this route you need to activate csrf with an object instead of a boolean. It is now working with the following in config/csrf.js (sails side of course):

module.exports.csrf = {
    origin: 'http://dev.planecq.com:4200'    
};

Maybe you can put a note on this in the README?

[huafu]

Thanks, v0.0.15 released and published ;-)

[jamesdixon]

@tibotiber any chance you could provide an example of your working CSRF setup between Ember and Sails? I keep getting a CSRF Mismatch and cannot figure it out for the life of me. I've tried everything.

Thanks!

[tibotiber]

@jamesdixon if I don't miss anything, I'm having on sails side:

// config/csrf.js
module.exports.csrf = {
    routesDisabled: '/auth/login,/auth/logout,/users/jwt,/upload',
    origin: 'http://b2d:32769'
};

origin is as explained above in case you have CORS enabled. The routes are pretty use-case dependent, here i'm basically allowing authentication and fetching of json web tokens (see waterlock) without caring about CSRF.

// config/blueprints.js
pluralize: true,

On Ember side, I'm using v0.0.15 with the following:

// config/environment.js
/* config for ember-data-sails */
ENV.APP.SAILS_LOG_LEVEL = 'debug';
ENV.APP.emberDataSails =  {
    host: 'https://dev.planecq.com:1337',
    scriptPath: '/js/dependencies/sails.io.js'
};
// allow to fetch the script
ENV.contentSecurityPolicy['script-src'] += ' https://dev.planecq.com:1337';
// allow the websocket to connect
ENV.contentSecurityPolicy['connect-src'] += ' https://dev.planecq.com:1337 wss://dev.planecq.com:1337';
/* end of config for ember-data-sails */

// app/adapters/application.js
import SailsSocketAdapter from 'ember-data-sails/adapters/sails-socket';

export default SailsRESTAdapter.extend({
    useCSRF: true,
    coalesceFindRequests: true
});

[jamesdixon]

@tibotiber thanks for this! Unfortunately, I'm still having issues. Are you doing any requests outside of what's done by Ember Data? For example, my authentication uses Ember.$.post() and I have to pass the CSRF token along with that. I tried to automate that process by using an initializer and then using ajaxSetup() to automatically add the token, but no luck. If you have a second and wouldn't mind checking out my StackOverflow Question where I go into detail on my issue, I'd appreciate. Maybe you can spot something that I haven't been able to after looking at this thing for 200 hours...lol.

Cheers,
James