CSRF

[moshetanzer]

Hi,

Thanks again for your great library.

Having this issue wonder if you could point me in the right direction.

I have CSRF protection enabled for my login page. My app is hosted on Vercel.

Seems to be that the first time out customer comes back to app, the CSRF always fails and requires a page reload for it to work.

It is an internal app only used I would say weekly. Could it be something with vercel's Serverless architecture. Seems strange.

Any suggestions?

Latest version nuxt-security: nuxt:

[Baroshem]

That is an interesting question @Morgbn would you have some ideas about it?

[moshetanzer]

Have disabled for now... would love a solution

[moshetanzer]

Also been a pain since when you disable csurf in nuxt config. Whole app breaks since car is not found...

[christie-hill-za]

I also just noticed this issue with a form. I am hosting our Nuxt site on Azure Static Web Apps.

Not sure what the cause could be, but if I have more info, I will share here.

[Baroshem]

Don't have answer now. I would love to get feedback from @Morgbn about it as he knows the stuff :)

[moshetanzer]

Hi,

I think that maybe a warning should be put on the website (even thought it is by default disabled) that CSRF doesnt work properly with serverless functions.

[Morgbn]

Hello, I recently noticed the same thing on a project hosted on Cloudfare I need to investigate, I'll get back to you as soon as I know more!

[moshetanzer]

Issue is simple. Functions should be considered starless due to their cold state nature. Which means any solution using the same method cannot work. We have to change this CSRF to the Double submit cookie pattern.

UPDATE: Think it will be better and easier to just go with the Origin method. @Baroshem should we get the host from a ENV? Or Host or X-forwards host. Issue is that I think x forwarded is disabled by default?

If I have a bit of time 😇 will open a PR.