New token secret with every request

[Elliot128]

I'm running this in a lambda access through api gateway. Every request is producing a new token secret on the _csrf cookie. As a result, every request is giving me an invalid csrf token error.

import { Router } from 'express';

import csurf from 'csurf';

const router = Router();

router.route('/callback').get(
  (req, res, next) => {
    return csurf({
      cookie: { secure: true, httpOnly: true, sameSite: 'strict' },
      ignoreMethods: [],
    })(req, res, next);
  },
);

[dougwilson]

Hm, strange. It should only be providing back a new value if the client is not sending the _csrf cookie to the server with the request. Can you check if your request contains a Cookie HTTP header and that is has a _csrf= in there?

[Elliot128]

Thanks for the quick response. I checked the cookies and you were correct, the browser is not sending any cookie headers for some reason.

Will comment back when I get resolve my issue in case others run into this as well.

[Elliot128]

So my issue was using the strict sameSite policy for the cookie.

This route was being hit by an ouath redirect. As a result, the browser recognized the request as coming from a different domain. Relaxing the sameSite policy to lax resolved the issue. Thanks again for the quick response.