search

martenframework / marten

The pragmatic web framework.
https://martenframework.com
MIT License
425 stars 24 forks source link

CSRF Token Not Found When Using `MethodOverride` Middleware with PUT, PATCH, DELETE Methods #272

Closed treagod closed 2 weeks ago

treagod commented 3 weeks ago

Description

When using the MethodOverride middleware to handle POST forms that override HTTP methods (e.g., PUT, PATCH, DELETE), the request fails with an error stating that no CSRF token was found, despite the token being present in the form. The issue likely lies in how the RequestForgeryProtection module handles CSRF tokens when methods are overridden.

Steps to Reproduce

  1. Enable the MethodOverride middleware in the application.
  2. Create a form that submits via POST but includes a hidden _method field to override the method to PUT, PATCH, or DELETE.
  3. Submit the form with a valid CSRF token.
  4. Observe that the request fails with an error indicating that no CSRF token was found.

Expected Behavior

The CSRF token should be correctly recognized and verified, and the form submission should proceed without errors.

Actual Behavior:

The request fails, and the following error is returned: CSRF token is missing

This occurs even though the CSRF token is correctly embedded in the form.

Potential Cause

The issue appears to be that the RequestForgeryProtection module does not correctly detect the CSRF token when the HTTP method is overridden by the MethodOverride middleware. The method override may be affecting the middleware’s ability to correctly locate and validate the CSRF token.

Impact

This issue prevents forms that override HTTP methods from being submitted successfully, even when the CSRF token is present and correct.