Invalid CSRF Token

Question

Invalid CSRF Token

fancycade opened this issue 4 years ago · comments

Harley Swick commented 4 years ago

Hi there!

I'm running into an invalid CSRF token with POST requests when the server is behind an NGINX proxy.

I've tried a number of NGINX configurations but to no avail.

The source code for the app can be found here.

Thanks!

swlkr · Answer 1 · Sat Aug 08 2020 11:39:28 GMT+0800 (China Standard Time)

I’m in the process of making this more explicit but the csrf middleware reads from the ENCRYPTION_KEY environment variable, is that set when running behind nginx?

Hopefully this doc can explain it a little better than what I just did on my phone haha

https://github.com/joy-framework/joy/blob/master/docs/form-submission.md

swlkr · Answer 2 · Sat Aug 08 2020 11:42:02 GMT+0800 (China Standard Time)

You could also rely on samesite=lax or strict and turn off the csrf middleware like this

(app {:routes routes :layout layout :csrf-token false})

Harley Swick · Answer 3 · Sat Aug 08 2020 12:00:51 GMT+0800 (China Standard Time)

Thank you very much for the quick reply!

In this case I cloned my repo onto a VM, which didn't track .env, and then made a new file.

Turns out I was wrong to assume that my app was not using the ENCRYPTION_KEY anywhere 😆 .

I set it with a key generated from cipher and it is working just fine now.