(Bug report) 403 POST tree/load - Invalid CSRF token

TriliumNext Version

0.90.4

What operating system are you using?

Other Linux

What is your setup?

Local + server sync

Operating System Version

Debian GNU/Linux 12 (bookworm)

Description

Accessing Trillium Notes after an indeterminate amount of time (over 1 day?), access fails with the error title :: message "403 POST tree/load :: Invalid CSRF token".

In troubleshooting I have found that opening another browser it works fine, but still fails in the main browser. Even using the Desktop Trillium app works, but I have seen it failing in previous sessions. My best bet for this is the fact that the previous session have not been stored in working clients/browsers.

Looking at the available cookies for the failing and working browsers, the failing shows 2-4 _csrf tokens, where the working just shows the expected 1 _csrf token.

Clearing the cookies in the failing browser resolves the issue, but it returns as described above.

Same issue as this one: https://github.com/zadam/trilium/issues/4186 (my comment)

Client details:

OS:

Name	Value
Edition	Windows 11 Pro
Version	24H2
OS build	26100.2152
Experience	Windows Feature Experience Pack 1000.26100.32.0

Browser:

https://brave.com/latest/#desktop-release-notes-v170126

Server details:

OS:

Debian GNU/Linux 12 (bookworm)

Trillium Web App:

Name	Value
Homepage:	https://github.com/TriliumNext/Notes
App version:	0.90.4
DB version:	228
Sync version:	32
Build date:	2024-08-09T22:05:59Z
Build revision:	2a5c444eff3eb99389339716ea8bfc989be90ecd

compose.yaml

networks:
  proxy:
    external: true

services:
  triliumNext:
    image: triliumnext/notes:latest
    container_name: triliumNext
    hostname: real-hostname
    restart: unless-stopped
    environment:
      - TZ=UTC
      - USER_UID=12345
      - USER_GID=12345
    volumes:
      - /home/user/.local/share/triliumNext-data:/home/node/trilium-data
    networks:
      proxy:
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.http.routers.rtr-triliumNext.entryPoints=https
      - traefik.http.routers.rtr-triliumNext.rule=Host(`sub.domain.tld`) && ClientIP(`192.0.2.0/24`)
      - traefik.http.services.svc-triliumNext.loadBalancer.server.scheme=http
      - traefik.http.services.svc-triliumNext.loadBalancer.server.port=8080
      - traefik.http.routers.rtr-triliumNext.service=svc-triliumNext

Error logs

Backend logs:

16:19:28.168 JS Error: Uncaught error: Message: Uncaught TypeError: Cannot read properties of undefined (reading 'activeNtxId'), URL: https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js, Line: 2, Column: 99451, Error object: {}, Stack: TypeError: Cannot read properties of undefined (reading 'activeNtxId')
    at https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:99451
    at HTMLDocument.<anonymous> (https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:146489)
    at handleObj.handler (https://SUB.DOMAIN.TLD/assets/v0.90.4/node_modules/jquery-hotkeys/jquery-hotkeys.js:200:30)
    at HTMLDocument.dispatch (https://SUB.DOMAIN.TLD/assets/v0.90.4/node_modules/jquery/dist/jquery.min.js:2:40035)
    at v.handle (https://SUB.DOMAIN.TLD/assets/v0.90.4/node_modules/jquery/dist/jquery.min.js:2:38006)
Stack: Error
    at Object.w [as logError] (https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:159531)
    at window.onerror (https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:93586)
16:19:28.189 Generated CSRF token Cud4keNb-YvB-w3sq9dXfY1kGGjx4jSZiE6E with secret undefined
16:19:28.309 JS Error: Uncaught error: Message: Uncaught TypeError: Cannot read properties of undefined (reading 'activeNtxId'), URL: https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js, Line: 2, Column: 99451, Error object: {}, Stack: TypeError: Cannot read properties of undefined (reading 'activeNtxId')
    at https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:99451
    at HTMLDocument.<anonymous> (https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:146489)
    at handleObj.handler (https://SUB.DOMAIN.TLD/assets/v0.90.4/node_modules/jquery-hotkeys/jquery-hotkeys.js:200:30)
    at HTMLDocument.dispatch (https://SUB.DOMAIN.TLD/assets/v0.90.4/node_modules/jquery/dist/jquery.min.js:2:40035)
    at v.handle (https://SUB.DOMAIN.TLD/assets/v0.90.4/node_modules/jquery/dist/jquery.min.js:2:38006)
Stack: Error
    at Object.w [as logError] (https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:159531)
    at window.onerror (https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:93586)
16:19:28.331 Generated CSRF token MB5A2BkW-rqh4aXVLEe7IRPcQHAlo8URi4DQ with secret undefined
16:19:30.608 200 GET /api/tree with 16092 bytes took 0ms
16:19:30.611 200 GET /api/keyboard-actions with 13999 bytes took 2ms
16:19:30.612 200 GET /api/options with 6572 bytes took 1ms
16:19:30.613 200 GET /api/script/widgets with 2687 bytes took 1ms
16:19:31.041 ERROR: Invalid CSRF token: MB5A2BkW-rqh4aXVLEe7IRPcQHAlo8URi4DQ, secret: LHT521SSTQ7JW6s7HDL5aA3D
16:19:31.041 Error: Invalid CSRF token
16:19:31.111 JS Error: 403 POST tree/load - Invalid CSRF token
Stack: Error
    at Object.w [as logError] (https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:159531)
    at Object.g [as throwError] (https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:149421)
    at c (https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:145614)
    at async Object.error (https://SUB.DOMAIN.TLD/assets/v0.90.4/app-dist/desktop.js:2:144370)

Frontend logs:

POST https://SUB.DOMAIN.TLD/api/tree/load 403 (Forbidden)
send @ jquery.min.js:2
ajax @ jquery.min.js:2
(anonymous) @ server.js:157
(anonymous) @ server.js:117
l @ server.js:104
await in l
post @ server.js:40
reloadNotes @ froca.js:170
getNotes @ froca.js:239
getNote @ froca.js:270
d @ script_context.js:10
await in d
executeBundle @ bundle.js:17
getWidgetBundlesByParent @ bundle.js:77
await in getWidgetBundlesByParent
(anonymous) @ desktop.js:13
await in (anonymous)
__webpack_require__.a @ async module:49
1987 @ zoom.js:65
__webpack_require__ @ bootstrap:19
(anonymous) @ startup:4
(anonymous) @ startup:4
Show 2 more frames
Show less

ws.js:18 16:19:29 403 POST tree/load - Invalid CSRF token
w @ ws.js:18
g @ toast.js:100
c @ server.js:222
await in c
error @ server.js:141
c @ jquery.min.js:2
fireWith @ jquery.min.js:2
l @ jquery.min.js:2
(anonymous) @ jquery.min.js:2
load
send @ jquery.min.js:2
ajax @ jquery.min.js:2
(anonymous) @ server.js:157
(anonymous) @ server.js:117
l @ server.js:104
await in l
post @ server.js:40
reloadNotes @ froca.js:170
getNotes @ froca.js:239
getNote @ froca.js:270
d @ script_context.js:10
await in d
executeBundle @ bundle.js:17
getWidgetBundlesByParent @ bundle.js:77
await in getWidgetBundlesByParent
(anonymous) @ desktop.js:13
await in (anonymous)
__webpack_require__.a @ async module:49
1987 @ zoom.js:65
__webpack_require__ @ bootstrap:19
(anonymous) @ startup:4
(anonymous) @ startup:4
Show 6 more frames
Show less

toast.js:102 Uncaught (in promise) Error: 403 POST tree/load - Invalid CSRF token
    at Object.g [as throwError] (toast.js:102:11)
    at c (server.js:222:22)
    at async Object.error (server.js:138:45)
g @ toast.js:102
c @ server.js:222
await in c
c @ jquery.min.js:2
fireWith @ jquery.min.js:2
l @ jquery.min.js:2
(anonymous) @ jquery.min.js:2
load
send @ jquery.min.js:2
ajax @ jquery.min.js:2
(anonymous) @ server.js:157
(anonymous) @ server.js:117
l @ server.js:104
await in l
post @ server.js:40
reloadNotes @ froca.js:170
getNotes @ froca.js:239
getNote @ froca.js:270
d @ script_context.js:10
await in d
executeBundle @ bundle.js:17
getWidgetBundlesByParent @ bundle.js:77
await in getWidgetBundlesByParent
(anonymous) @ desktop.js:13
await in (anonymous)
__webpack_require__.a @ async module:49
1987 @ zoom.js:65
__webpack_require__ @ bootstrap:19
(anonymous) @ startup:4
(anonymous) @ startup:4
Show 6 more frames
Show less

TriliumNext / Notes