search

duct-framework / module.web

Duct module for running web applications
21 stars 20 forks source link

invalid anti-forgery token #11

Closed lrosso closed 6 years ago

lrosso commented 6 years ago

Hi,

I guess this issue might be related with issue #10

As it has just got closed, I'd rather open this new one instead of going on with that other one.

As issue reported there got fixed thanks to suggestions supplied, issue reported here arose: as I try to access a couple POST endpoints by means of Postman, I get the following error reported:

<h1>invalid anti-forgery token</h1>

Immediately before implementing fix suggested in previous issue, I had been able to access both endpoints successfully.

Solutions found so far seem too fragmentary, at least for a beginner in Duct like me...

Or out-dated: I arrive to that conclusion as Component is mentioned there which, as far as I know, has been replaced by Immutant in Duct's current version.

Full current version of edn config shown below; what's wrong with it? How should I fix it?

{:duct.core/project-ns  conduit
 :duct.core/environment :production

 :duct.middleware.buddy/authentication
 {:backend :jws
  :secret  #duct/env "JWT_SECRET"}

 :duct.module/logging {}
; :duct.module.web/api {}
 :duct.module/sql     {}
 :duct.module.web/site {}
; :duct.module/cljs     {:main conduit.core}

; :duct.core/handler
; {:middleware [#ig/ref :duct.middleware.web/route-aliases]}

; :duct.middleware.web/route-aliases
; {"/" "/index.html"}

 :duct.migrator/ragtime
 {:migrations [#ig/ref :conduit.migration/create-table-user
               #ig/ref :conduit.migration/create-table-follow
               #ig/ref :conduit.migration/create-table-article
               #ig/ref :conduit.migration/create-table-tag
               #ig/ref :conduit.migration/create-table-favorite
               #ig/ref :conduit.migration/create-table-comment]}

 [:duct.migrator.ragtime/sql :conduit.migration/create-table-user]
 {:up   [#duct/resource "migrations/create-table-user-2018-04-23.sql"]
  :down [#duct/resource "migrations/drop-table-user-2018-04-23.sql"]}

 [:duct.migrator.ragtime/sql :conduit.migration/create-table-follow]
 {:up   [#duct/resource "migrations/create-table-follow-2018-04-23.sql"]
  :down [#duct/resource "migrations/drop-table-follow-2018-04-23.sql"]}

 [:duct.migrator.ragtime/sql :conduit.migration/create-table-article]
 {:up   [#duct/resource "migrations/create-table-article-2018-04-23.sql"]
  :down [#duct/resource "migrations/drop-table-article-2018-04-23.sql"]}

 [:duct.migrator.ragtime/sql :conduit.migration/create-table-tag]
 {:up   [#duct/resource "migrations/create-table-tag-2018-04-23.sql"]
  :down [#duct/resource "migrations/drop-table-tag-2018-04-23.sql"]}

 [:duct.migrator.ragtime/sql :conduit.migration/create-table-favorite]
 {:up   [#duct/resource "migrations/create-table-favorite-2018-04-23.sql"]
  :down [#duct/resource "migrations/drop-table-favorite-2018-04-23.sql"]}

 [:duct.migrator.ragtime/sql :conduit.migration/create-table-comment]
 {:up   [#duct/resource "migrations/create-table-comment-2018-04-23.sql"]
  :down [#duct/resource "migrations/drop-table-comment-2018-04-23.sql"]}

 :conduit.handler.walkable/compile-schema
 {:columns [:user/email :user/token :user/username :user/bio :user/image
            :article/slug :article/title :article/description :article/body
            :article/created-at :article/updated-at
            :tag/tag
            :comment/id :comment/created-at :comment/updated-at :comment/body]

  :idents {:user/by-id       :user/id
           :user/by-username :user/username
           :users/all        "user"
           :articles/all     "article"
           :articles/feed    "article"
           :article/by-slug  :article/slug
           :article/by-id    :article/id}

  :joins {[:user/followed-by :user/followed-by-me?]
          [:user/id :follow/followee-id :follow/follower-id :user/id]

          :article/tags [:article/id :tag/article-id]

          :article/comments [:article/id :comment/article-id]

          [:article/liked-by :article/liked-by-count :article/liked-by-me?]
          [:article/id :favorite/article-id :favorite/user-id :user/id]

          :article/author [:article/author-id :user/id]

          :comment/author [:comment/author-id :user/id]}
  :reversed-joins {:user/follows :user/followed-by
                   :user/like    :article/liked-by}
  :pseudo-columns {:agg/count [:count-*]}
  :cardinality    {:user/by-id             :one
                   :user/by-username       :one
                   :article/by-id          :one
                   :article/by-slug        :one
                   :article/author         :one
                   :article/liked-by-me?   :one
                   :user/followed-by-me?   :one
                   :article/liked-by-count :one}}

 :conduit.handler.sql/run-query {}

 :conduit.handler.walkable/resolver
 #:walkable.sql-query-builder {:duct/logger #ig/ref :duct/logger
                               :run-query   #ig/ref :conduit.handler.sql/run-query
                               :sql-db      #ig/ref :duct.database.sql/hikaricp
                               :sql-schema  #ig/ref :conduit.handler.walkable/compile-schema}

 :duct.module/ataraxy
 {
;  [:get "/"]
;  ["/index.html"]
;  [:index/index-page]

  [:post "/api/users" {{:keys [user]} :body-params}]
  [:user/create user]

  [:post "/api/users/login" {{:keys [user]} :body-params}]
  [:user/login user]

  [:get "/api/profiles/" username]
  ^:jws-auth [:user/by-username username]

  [:post "/api/profiles/" username "/follow"]
  ^:jws-auth [:user/follow username]

  [:delete "/api/profiles/" username "/follow"]
  ^:jws-auth [:user/unfollow username]

  [:get "/api/articles/" slug]
  ^:jws-auth [:article/by-slug slug]

  [:get "/api/articles/" slug "/comments"]
  ^:jws-auth [:article/comments-by-slug slug]

  [:delete "/api/articles/" slug]
  ^:jws-auth [:article/destroy slug]

  [:post "/api/articles/" slug "/favorite"]
  ^:jws-auth [:article/like slug]

  [:delete "/api/articles/" slug "/favorite"]
  ^:jws-auth [:article/unlike slug]

  [:post "/api/articles/" slug "/comments" {{comment-item :comment} :body-params}]
  ^:jws-auth [:article/create-comment slug comment-item]

  [:delete "/api/articles/" slug "/comments/" id]
  ^:jws-auth [:article/destroy-comment ^int id]

  [:post "/api/articles" {{:keys [article]} :body-params}]
  ^:jws-auth [:article/create article]

  [:get "/api/articles" {params :query-params}]
  ^:jws-auth [:article/all-articles params]

  [:get "/api/articles/feed" {params :query-params}]
  ^:jws-auth [:article/feed params]

  [:get "/api/user"]
  ^:jws-auth [:user/whoami]}

 :duct.router/ataraxy {:middleware {:jws-auth #ig/ref :duct.middleware.buddy/authentication}}

 :duct.core/handler
 {:middleware [#ig/ref :duct.middleware.web/format
               #ig/ref :duct.middleware.web/defaults
               #ig/ref :duct.middleware.web/route-aliases]}

 :duct.middleware.web/defaults
 {:static {:resources ["public"]}}

 :duct.middleware.web/format {}
 :duct.middleware.web/route-aliases
 {"/" "/index.html"}

 :conduit.handler.user/whoami
 {:db         #ig/ref :duct.database/sql
  :jwt-secret #duct/env "JWT_SECRET"}

 :conduit.handler.user/by-username
 {:resolver #ig/ref :conduit.handler.walkable/resolver}

 :conduit.handler.article/destroy
 {:db #ig/ref :duct.database/sql}

 :conduit.handler.article/by-slug
 {:resolver #ig/ref :conduit.handler.walkable/resolver}

 :conduit.handler.article/comments-by-slug
 {:resolver #ig/ref :conduit.handler.walkable/resolver}

 :conduit.handler.user/create
 {:db         #ig/ref :duct.database/sql
  :jwt-secret #duct/env "JWT_SECRET"}

 :conduit.handler.article/all-articles
 {:resolver #ig/ref :conduit.handler.walkable/resolver}

 :conduit.handler.article/feed
 {:resolver #ig/ref :conduit.handler.walkable/resolver}

 :conduit.handler.article/create
 {:db #ig/ref :duct.database/sql}

 :conduit.handler.article/like
 {:db #ig/ref :duct.database/sql}

 :conduit.handler.article/unlike
 {:db #ig/ref :duct.database/sql}

 :conduit.handler.user/follow
 {:db #ig/ref :duct.database/sql}

 :conduit.handler.user/unfollow
 {:db #ig/ref :duct.database/sql}

 :conduit.handler.article/create-comment
 {:db #ig/ref :duct.database/sql}

 :conduit.handler.article/destroy-comment
 {:db #ig/ref :duct.database/sql}

 :conduit.handler.user/login
 {:db         #ig/ref :duct.database/sql
  :jwt-secret #duct/env "JWT_SECRET"}

; :conduit.handler.index/index-page {}

}

Thanks in advance !

Luis

weavejester commented 6 years ago

The first question that needs to be answered is: do you need protection from CSRF attacks or not for your POST routes?

As you're using JWS authentication it's likely that you don't, however you'll need to make that call yourself.

If you don't need it, then you can just turn it off with:

:duct.middleware.web/defaults
{:security {:anti-forgery false}}

If you do need it, then read through the documentation for Ring-Anti-Forgery to get an idea of how to use it.

lrosso commented 6 years ago

Hi James,

anti-forgery desabled, endpoints responding ok again.

Thank you very much.

Luis