search

blitz-js / legacy-framework

MIT License
3 stars 2 forks source link

CSRFTokenMismatchError when using curl or Insomnia to request RPC routes #208

Closed kaedub closed 2 years ago

kaedub commented 2 years ago

What is the problem?

I'm trying to test some functionality through a RPC route and am getting 401 CSRFTokenMismatchError even though I have provided a valid anti-csrf token header.

Paste all your error logs here:

17:17:09.180 ERROR Error while processing the request 

 CSRFTokenMismatchError  
details:
{
  name: 'CSRFTokenMismatchError',
  statusCode: 401
} 
[CSRFTokenMismatchError] { statusCode: 401 }
events.js:353
      throw er; // Unhandled 'error' event
      ^

Error [ERR_STREAM_WRITE_AFTER_END] [ERR_STREAM_WRITE_AFTER_END]: write after end
    at writeAfterEnd (_http_outgoing.js:694:15)
    at ServerResponse.end (_http_outgoing.js:815:7)
    at ServerResponse.end (/Users/kevinwelch/Mediahound/client/curator-neue/node_modules/next/dist/compiled/compression/index.js:1:4179)
    at ServerResponse.apiRes.end (/Users/kevinwelch/Mediahound/client/curator-neue/node_modules/next/dist/server/api-utils.js:83:25)
    at sendError (/Users/kevinwelch/Mediahound/client/curator-neue/node_modules/next/dist/server/api-utils.js:490:9)
    at Object.apiResolver (/Users/kevinwelch/Mediahound/client/curator-neue/node_modules/next/dist/server/api-utils.js:127:13)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async DevServer.handleApiRequest (/Users/kevinwelch/Mediahound/client/curator-neue/node_modules/next/dist/server/next-server.js:766:9)
    at async Object.fn (/Users/kevinwelch/Mediahound/client/curator-neue/node_modules/next/dist/server/next-server.js:657:37)
Emitted 'error' event on ServerResponse instance at:
    at writeAfterEndNT (_http_outgoing.js:753:7)
    at processTicksAndRejections (internal/process/task_queues.js:83:21) {
  code: 'ERR_STREAM_WRITE_AFTER_END'
}

Paste all relevant code snippets here:

Not sure if it's relevant, but I have a hardcoded access token in seeds.ts that, in a previous version of Blitz, I used to be able to use to make requests to the dev server API.

  const token = "p98hqwflks9220js30jasdjj0"
  const hashedToken = hash256(token)
  await db.token.create({
    data: {
      user: { connect: { id: testUser.userId! } },
      type: TokenType.ACCESS_TOKEN,
      hashedToken,
      expiresAt: new Date(9999, 0),
      sentTo: "testuser@test.com",
    },
  })

Happens with all RPC routes so I have no other relevant code snippets.

What are detailed steps to reproduce this?

  1. Console log the antiCSRFToken in a React component.
  2. Copy the token into the anti-csrfheader into Insomnia.
  3. Add the Auth Bearer token to Insomnia auth tab.
  4. Send the POST request from Insomnia.

Run blitz -v and paste the output here:

blitz: 0.41.0 (local)

  Package manager: yarn 
  System:
    OS: macOS 10.15.7
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
    Memory: 30.05 MB / 16.00 GB
    Shell: 5.7.1 - /bin/zsh
  Binaries:
    Node: 14.17.0 - /var/folders/zc/xh575l5d5nzfv2_2mftcp28w0000gn/T/yarn--1635985435451-0.8484258469385617/node
    Yarn: 1.22.10 - /var/folders/zc/xh575l5d5nzfv2_2mftcp28w0000gn/T/yarn--1635985435451-0.8484258469385617/yarn
    npm: 7.14.0 - /usr/local/bin/npm
    Watchman: Not Found
  npmPackages:
    @prisma/client: 3.x => 3.2.0 
    blitz: 0.41.0 => 0.41.0 
    prisma: 3.x => 3.2.0 
    react: 18.0.0-alpha-bc4e75112-20210815 => 18.0.0-alpha-bc4e75112-20210815 
    react-dom: 18.0.0-alpha-bc4e75112-20210815 => 18.0.0-alpha-bc4e75112-20210815 
    typescript: ~4.4 => 4.4.2

Please include below any other applicable logs and screenshots that show your problem:

No response

flybayer commented 2 years ago

So the anti-csrf token is tied to a specific session. You can't copy the token from one session and use it in another.

So in insomnia, you first need to clear all cookies (remove session from insomnia), then make any request to the backend. That will automatically create an anon session and set cookies in insomnia. You'll then need to get the correct anti-csrf token from that cookie in insomnia.

kaedub commented 2 years ago

@flybayer thanks for the response. I guess I was just doing this wrong then. You can close this issue.