[bug] Forbidden - CSRF token invalid
xzol opened this issue · 6 comments
Forbidden - CSRF token invalid
Does not work!
I watched these links: this and this
But Does not work!
I get a token for JS Front like this:
package main
import (
"./controllers"
"github.com/gorilla/csrf"
"github.com/gorilla/mux"
"log"
"net/http"
)
func main() {
database.Init()
router := mux.NewRouter()
csrfMiddleware := csrf.Protect([]byte("qweqwesga3r1kul7oyukhjefw3fsafzv"),csrf.HttpOnly(false),csrf.Secure(false))
api := router.PathPrefix("").Subrouter()
api.Use(csrfMiddleware)
api.HandleFunc("/user/getUser", controllers.GetUser).Methods("GET")
api.HandleFunc("/apartment/{id:[0-9]+}", controllers.SetApartment).Methods("POST")
log.Fatal(http.ListenAndServe(":8080", router))
token geted in func:
func **GetUser**(w http.ResponseWriter, r *http.Request) {
usr := user.NewUser(w, r)
if usr.IsAuthenticated() {
usr.Authenticate()
}
w.Header().Set("X-CSRF-Token", csrf.Token(r))
js, _ := json.Marshal(usr.GetResData())
w.Header().Set("Content-Type", "application/json")
w.Write(js)
//http.Error(w, "StatusOK", http.StatusOK)
}
Response headers by "/user/getUser":
HTTP/1.1 200 OK
Server: nginx/1.17.9
Date: Thu, 16 Apr 2020 13:04:47 GMT
Content-Type: application/json
Content-Length: 344
Connection: keep-alive
Set-Cookie: cookie-name=MTU4NzA0MjI4N3xEdi1CQkFFQ180SUFBUkFCRUFBQVBQLUNBQUlHYzNSeWFXNW5EQThBRFdGMWRHaGxiblJwWTJGMFpXUUVZbTl2YkFJQ0FBRUdjM1J5YVc1bkRBUUFBbWxrQldsdWRETXlCQUlBS0E9PXytgQkDscuD6KkzV5phqBRGyXXX8FbX3ickInnhPKeSvw==; Path=/; Expires=Sat, 16 May 2020 13:04:47 GMT; Max-Age=2592000
Set-Cookie: cookie-name=MTU4NzA0MjI4N3xEdi1CQkFFQ180SUFBUkFCRUFBQVBQLUNBQUlHYzNSeWFXNW5EQVFBQW1sa0JXbHVkRE15QkFJQUtBWnpkSEpwYm1jTUR3QU5ZWFYwYUdWdWRHbGpZWFJsWkFSaWIyOXNBZ0lBQVE9PXxTTz9Fd_xU3fJPkLbwXj0MEuGfqcShRlNw4f7Wr7kTJA==; Path=/; Expires=Sat, 16 May 2020 13:04:47 GMT; Max-Age=2592000
Vary: Cookie
X-Csrf-Token: SVwntUirVHBTympYoFk348zeWlCBOdKZpLVkvIqbhR2T7LG1wWEQ/p5keGC60SqRd0bFPrW3gQeGby9DIjkIiA==
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
i use VUEJS and axios :
where getters.xCsrfToken = X-Csrf-Token Response headers by "/user/getUser":
saveApartment:({commit, state, getters, dispatch}, payload) => {
const instance = axios.create({
timeout: 1000,
headers: { "X-CSRF-Token": getters.xCsrfToken}
});
return instance.post('/api/apartment/' + payload.id, payload.data, {
headers: {
'Content-Type': 'multipart/form-data',
}
})
},
i send:
Request URL:http://buysell.lo/api/apartment/69
Request method:POST
Remote address:127.0.0.1:80
Request headers :
Host: buysell.lo
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://buysell.lo/edit/apartments/69
X-CSRF-Token: SVwntUirVHBTympYoFk348zeWlCBOdKZpLVkvIqbhR2T7LG1wWEQ/p5keGC60SqRd0bFPrW3gQeGby9DIjkIiA==
Content-Type: multipart/form-data; boundary=---------------------------21009980263478968121420082223
Content-Length: 2468
Connection: keep-alive
Cookie: _gorilla_csrf=MTU4NzAzMzgyN3xJalp5VTJwNGEwVjZNSEp3T0djck9VSlNTRGQ1ZW05V1JXbE1NRFJwZFhabmNXWkhiekF2TWxnMmFXTTlJZ289fAz8IK5sKCqHq8NKo2j1a4IP6UAY5tTI9aEg-4V3Kb1M; cookie-name=MTU4NzA0MjI4N3xEdi1CQkFFQ180SUFBUkFCRUFBQVBQLUNBQUlHYzNSeWFXNW5EQVFBQW1sa0JXbHVkRE15QkFJQUtBWnpkSEpwYm1jTUR3QU5ZWFYwYUdWdWRHbGpZWFJsWkFSaWIyOXNBZ0lBQVE9PXxTTz9Fd_xU3fJPkLbwXj0MEuGfqcShRlNw4f7Wr7kTJA==
But i get:
Forbidden - CSRF token invalid
i used debug:
// Compare the request token against the real token
if !compareTokens(requestToken, realToken) {
r = envError(r, ErrBadToken)
cs.opts.ErrorHandler.ServeHTTP(w, r)
return
}
Why i get: Forbidden - CSRF token invalid
Domain: http://buysell.lo local
And i use csrf.HttpOnly(false),csrf.Secure(false)
Are you still having issues with this?
No, this not worked.
Works!
Wrong cookies were sent.
This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.