My web app is in beta test, and one of us beta testers, when testing from his mobile phone, is having some troubles with CSRF token validation. From any other of his devices it works correctly, but from his Google Chrome on Android 8 it just seems that CSRF won't work.

Why though?
As I checked from the sent HTML file, and on the server, everything should be fine. For example:

<form method="POST" action="{{baseURL}}/api/user/login?_csrf={{{csrfToken}}}">
    <input type="hidden" name="_csrf" value="{{{csrfToken}}}">
    <!-- Other things -->
</form>

and, the crsfToken received from the server is the same he's got in his page, for example in one test it was 1HlAedX9-KenOchw-lFJ-fWKUgz8rzGEMh4I.
We could see it in req.body when logged to console:

{
    '_csrf': "1HlAedX9-KenOchw-lFJ-fWKUgz8rzGEMh4I",
    'username': "blabla",
    'password': "blabla",
    'g-recaptcha-response': "blabla",
}

but Invalid CSRF Token error was thrown.

Why should this not work, only for this user? Could there be a problem which I can't understand?
For everyone just works fine, and he doesn't seem to be any different.
Obviously I tried with cookie: true and cookie: false, but it's the same thing.
And, obviously, I loaded both cookie-parser and session before loading csurf.
Also, when logged, req.cookies seems to be empty (not containing the csrf cookie) but it should work anyway, because both req.body._csrf and req.query._csrf exist.

I also tried with a custom value function, like this:

app.use(csrf({ cookie: true, value: function(req) {
    if (req.method === "POST") console.log(req.cookies, req.body); // there's where I log user's request to test
    if (req.cookies._csrf) return req.cookies._csrf.trim(); // I also tried to trim the token; it doesn't work anyway, and doesn't make any difference
    if (req.body._csrf) return req.body._csrf.trim();
    if (req.query._csrf) return req.query._csrf.trim();
    if (req.headers['csrf-token']) return req.headers['csrf-token'].trim();
    if (req.headers['xsrf-token']) return req.headers['xsrf-token'].trim();
    if (req.headers['x-csrf-token']) return req.headers['x-csrf-token'].trim();
    if (req.headers['x-xsrf-token']) return req.headers['x-xsrf-token'].trim();
}}));

Any idea? Thanks for any help.

Hi @DanielVip3 sorry you are having issues. Based on your description, especially with all other devices working, it does really sound like perhaps an issue with that device, either it has some setting on it preventing it from working or that that web browser is not compatible and perhaps we need to change something in this module to support it. Unfortunately without even access to that device / web browser combination myself, I'm not sure how such I can actually do to diagnose what the underlying issue is.

@dougwilson so uhm, would there a way to examine myself the thing, asking the user what to do?
What should I specifically examine?
Thanks.

What is the configuration you have for this module (the arguments provided to csurf())?

For now, I pass only
csurf({ cookie: true });, nothing else.
I removed the custom value function, which I only used to test.
Could it depend to the secret key I pass to cookie-parser and express-session?

Cool. So the basic validation for that particular set up is just to check if the page that loads with the HTML form you put above should contain a Set-Cookie response header with a _csrf cookie. Then check if that web browser does indeed have that _csrf cookie stored in the cookie storage for it with the same value in the header. Then check that, when the form is submitted, that the web browser sends a Cookie header with the request and one of the values in that header is _csrf= and after the equals is the same value that was in Set-Cookie from before.

Uhm okay, so I should indeed test cookies. I'm gonna see and let you know soon.

Sorry, that was an issue with this tester who had cookies disabled without us noticing.
Thanks for your help to identify the issue, and sorry for the useless issue and any disturb.
I'm gonna close this issue.