CSRF Token

[gdbonino]

I believe that the operation of CSRF Token is not correct, although I cannot give a certainty about it. I am seeing that the token is generated both with the page itself and with the profiler bar, with the token of the latter remaining as the cookie. This does not generate a problem (I think) but it seems to me that the profiler bar should not overwrite the token. Where if it generates problem is when the backend responds with a Redirect. In this case I did some debugging: Page A creates the token with value A1 User clicks on a link that directs to page B. Backend responds with a redirect to C, but generates Token B1. When the JS client requests C, it seems to send Token A1 but backend expects B1. This is where it is not clear to me if the problem is that backend should not generate a new token when there is a redirect or the problem is on the JS client side that never replaces A1 with B1. If I disable CSRF everything works correctly.

[SkipTheDragon]

Hi,

Could you provide me with a repository showcasing this problem? That would greatly help me.

[gdbonino]

Yes, I can, but in a couple of weeks. I'm a bit pressed for time right now and I have a trip ahead of me. But by July I promise you a working example.

[SkipTheDragon]

No worries! You can do it when you have time.

[WeTurkstra]

I think iam having the same issue. Iam also using a RedirectResponse a few routes and after that iam not able to login or submit a form. Iam getting a popup with the text: Something went wrong with Inertia!

I'll try to figure it out.

[SkipTheDragon]

I linked this branch to the issue: https://github.com/SkipTheDragon/inertia-bundle/tree/8-csrf-token where I tried to fix it, but I'm not sure if I tested it right. Would love to hear some feedback on it.

[WeTurkstra]

Unfortunatly this doesn't seem to fix it. I had tried the same thing. But it still seems that the csrf token is regenerated on a redirect response.

[SkipTheDragon]

I'll close this for now until I can reproduce it or somebody will help me with an example.

I used #11 as an example for now and it seems to work.

[gdbonino]

I just tested it and it works perfect! Thank you very much!!! And sorry for not being able to generate an example... I've been complicated at work and personally.

[gdbonino]

Unfortunately, I have now encountered another problem. It is not related to Redirect, but to the use of Precognition. When using Precognition, being in an input and pressing the submit button, two requests are generated almost simultaneously. The first one is related to the precognition and the second one to the submit. And here a race condition is generated, since both go with the same CSRF token, but at the end of the first one, the token is invalid and therefore the second request (submit) is rejected by CSRF :(

[SkipTheDragon]

Please open a new issue with an example.

Are we talking about Laravel Precognition ? -> I didn't test this bundle with it, for error handling you could try #6, but I didn't have time to test anything. And the forms branch still has the redirect CSRF bug.

[SkipTheDragon]

Are there any advantages in using Precognition instead of https://inertiajs.com/validation ?

[gdbonino]

Yes, the situation happened to me with Laravel Precognition, but it is beyond this functionality. The problem is the execution of two simultaneous requests from the same browser. Now I generate a new issue.

[gdbonino]

Are there any advantages in using Precognition instead of https://inertiajs.com/validation ?

These are two different functionalities. Laravel precognition is used to do frontend validation but using backend validation. This way, no code is duplicated. Roughly speaking, when a form input loses focus, precognition makes a special request to the backend to partially validate the form and this way the user has an immediate feedback if the input is not valid.