Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auth logout not working with defaultCsrfMiddleware #1151

Closed
mrP0tat0Head opened this Issue Jan 21, 2016 · 2 comments

Comments

Projects
None yet
2 participants
@mrP0tat0Head
Copy link
Contributor

mrP0tat0Head commented Jan 21, 2016

I tried out the authentication example from yesodweb, but if I add the "defaultCsrfMiddleware" to my "yesodMiddleware" the logout mechanism with the auth plugin does not work and I get the "Permission denied" error. But the XSRF-TOKEN is send with the cookie and it's the same token as in the session, so the logout should work.

I got the logout working with either:

  • Don't set defaultCsrfMiddleware
  • Or hack the logout form by adding an invisible input with the token manually(in the browser (after disabling javascript)).

I think it would fix this error, if we add here an invisible input with the token like it's done by the runFormPost.

But I'm not sure if that's all.

@mrP0tat0Head mrP0tat0Head changed the title Auth logout with defaultCsrfMiddleware not working Auth logout not working with defaultCsrfMiddleware Jan 21, 2016

@snoyberg

This comment has been minimized.

Copy link
Member

snoyberg commented Jan 22, 2016

@gregwebs any objection to removing the csrf middleware from the scaffolding? I don't know anything about it, but this is the second bug I've seen new users report.

snoyberg added a commit to yesodweb/yesod-scaffold that referenced this issue Jan 24, 2016

snoyberg added a commit that referenced this issue Jan 24, 2016

@snoyberg

This comment has been minimized.

Copy link
Member

snoyberg commented Jan 24, 2016

I've just released version 1.4.19 of yesod-core which should fix this problem. I've also sent a PR to remove defaultCsrfMiddleware from the scaffold. Thanks for the report!

@snoyberg snoyberg closed this Jan 24, 2016

gregwebs added a commit to yesodweb/yesod-scaffold that referenced this issue Jan 24, 2016

Merge pull request #125 from yesodweb/no-csrf-middleware
Don't enable defaultCsrfMiddleware by default yesodweb/yesod#1151
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.