"Signed cookie string must be provided." with multiple cookies

Question

"Signed cookie string must be provided." with multiple cookies

vla-dev opened this issue 3 years ago · 2 comments

Avoid calling 'unsign' in case if the token from cookie is 'undefined'. If the first argument is different from 'string', the unsign function will always throw "Signed cookie string must be provided."

src/cookies/getCookie.ts

function getCookie(req: NextApiRequest, name: string): string {
  if (req.headers.cookie != null) {
    const parsedCookie = parse(req.headers.cookie);
    return parsedCookie[name];
  }

  return "";
}

PR fix here

This function checks if headers.cookie !== null and is trying to get the token from parsed cookie, but the cookie could be present but different from XSRF token.

Let's say I'm also using google analytics (gtag) that is making its own cookies such us: _ga=GA1.1.1798070841.1638877244;

parsedCookie will be:

parsedCookie = {
  "_ga"="GA1.1.1798070841.1638877244"
}

and the return statement parsedCookie[name] where name is tokenKey (by default XSRF-TOKEN) will be undefined

then...

src/middleware/csrf.ts

const tokenFromCookie = getCookie(req, tokenKey);
const tokenFromCookieUnsigned = unsign(tokenFromCookie, secret);

since tokenFromCookie is undefined, and the first argument must be typeof string, this function will always throw "Signed cookie string must be provided." and the request will fail with status 500

Answer 1 · 2021-12-17T21:34:48.000Z

I have the same problem but any resolved that I created don't help me

Answer 2 · 2022-04-23T05:02:42.000Z

@DmitryValko this got fixed with https://github.com/j0lv3r4/next-csrf/releases/tag/v0.2.1