CSRF Meta tag not getting updated.

[darylthornhill]

Expected Behavior

csrf-token meta should get updated on drip.

Acutal Behavior

Im using axios, I am prepending the csrf-token from the meta to the headers of the axios request. If i manually update my csrf meta tag then it gets picked up in axios however drip doesn't update the csrf-token meta.

Environment

• PHP Version: 7.1
• Laravel Version: 5.6
• LaravelCaffeine Version: ^0.6.8

Stack Trace

Standard token mismatch error.

[ItaloBC]

Laravel Caffeine isn't compatible with SPA sites. POST methods will fail nonetheless whataver you are using,

There are two ways to tackle the problem:

• Use JWT for your forms.
• Refresh the CSRF Token using Axios (or equivalent) to catch de 429 code that Laravel threw up.

[darylthornhill]

@ItaloBC Surely if drip is supposed to update the meta tag of the html, then i can just grab that meta tag when i post though?

Currently Drip doesn't update the meta tag, it isn't changing. Even on standard blade views.

The drip is running in the network tab in the developer tools window too.

[ItaloBC]

@darylthornhill No. The drip doesn't update the token.

What Laravel Caffeine does is simple: constantly pokes your App with a GET request, which returns a 204 code (response OK with no body). That is what we consider a drip.

Before returning the response, in layman's terms, Laravel checks that the cookie_session that is sent with the drip matches the session entry (a file, a database row, or whatever your driver is):

• If it is true, it will renew the token expiration for the configured time in your app (120 min default).
• If not, the token will be marked as expired.

Then it makes a response with nothing - and OK it's the only thing it is needed.

You will get a nice 419 code with TokenMismatchException after the form (with the token) is sent if the token is expired, and so, no longer valid.

[darylthornhill]

Okay that makes sense why the meta isn’t changing.

However it doesn’t really make sense why my token is expiring.

If I set my token to expire in 4 mins and drip every 10 secs. After 4 mins I get a token mismatch error. If using axios or another Ajaxy method. On Tue, 10 Apr 2018 at 15:47, ItaloBC notifications@github.com wrote:

@darylthornhill https://github.com/darylthornhill No. The drip doens't update the token.

Waht Laravel Caffeine does is poking your App with a GET, which returns a 204 code https://httpstatuses.com/204 (response OK with no body).

Before returning the response, in layman's terms, Laravel checks that the cookie_session is sent with the drip matches the session entry (a file, a database row, or whatever your driver is). If it is true, it will renew the token expiration for the time configured time in your app (120 min default).

If not, the token will be marked as expired, and it will throw a 419 code with TokenMismatchException after the form (with the token) is sent.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/GeneaLabs/laravel-caffeine/issues/90#issuecomment-380128368, or mute the thread https://github.com/notifications/unsubscribe-auth/ACIw6Nw2nJcppTlnKynepkSXXIrixhzTks5tnMYYgaJpZM4TOXTp .

[ItaloBC]

@darylthornhill Maybe it's related to #89

In my app my forms are expiring, and it's not SPA, regardless of the configuration and dripping status.

You can set your session lifetime to 1 min, and change this in genealabs-laravel-caffeine.php:

'drip-interval' => 20000,
'outdated-drip-check-interval' => 0,

Make a view with a simple form and submit it after the minute. If everything is set correctly, you should get a successful submission. At least, for me, it doesn't work unless I add manually the dripping route to my web.php.

[darylthornhill]

Ill give #89 a go shortly. Cheers for the swift help!

[ItaloBC]

No problem.

[darylthornhill]

I just gave it a go and set the route up in my web.php routes file and it works. I'm pretty sure because in the web.php routes its hitting the verify csrf middleware.

As far as i can see the caffeine drip doesnt hit that middleware. That could be the problem?

[ItaloBC]

@darylthornhill No, the dripping isn't related to verifying the CSRF Token. Otherwise, making a GET to any other route shouldn't refresh the session either.

[darylthornhill]

Nah I meant the verify csrf middleware is the place that looks to refresh the xsrf cookie.

Does drip rely on that?

Hence why creating your own route in the web.php works because it refreshes that xsrf token and when it’s posted it’ll be a valid non expired token.

On Tue, 10 Apr 2018 at 23:08, ItaloBC notifications@github.com wrote:

@darylthornhill https://github.com/darylthornhill No, the dripping isn't related to verifying the CSRF Token. Otherwise, making a GET to any other route shouldn't refresh the session either.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/GeneaLabs/laravel-caffeine/issues/90#issuecomment-380263445, or mute the thread https://github.com/notifications/unsubscribe-auth/ACIw6N9TVUOOTEtnP3id5XCDbEkXJtDfks5tnS15gaJpZM4TOXTp .

[darylthornhill]

I can see that caffeine looks for the web middleware.

The only reason why I can see that me manually adding the route vs using just the caffeine plugin works is that maybe caffeine can’t see that the web middleware exists.

I’ll have a gander into the source code of the plugin tomorrow and let you know.

On Wed, 11 Apr 2018 at 00:16, Daryl Thornhill < daryl.thornhill@googlemail.com> wrote:

Nah I meant the verify csrf middleware is the place that looks to refresh the xsrf cookie.

Does drip rely on that?

Hence why creating your own route in the web.php works because it refreshes that xsrf token and when it’s posted it’ll be a valid non expired token.

On Tue, 10 Apr 2018 at 23:08, ItaloBC notifications@github.com wrote:

@darylthornhill https://github.com/darylthornhill No, the dripping isn't related to verifying the CSRF Token. Otherwise, making a GET to any other route shouldn't refresh the session either.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/GeneaLabs/laravel-caffeine/issues/90#issuecomment-380263445, or mute the thread https://github.com/notifications/unsubscribe-auth/ACIw6N9TVUOOTEtnP3id5XCDbEkXJtDfks5tnS15gaJpZM4TOXTp .

[ItaloBC]

You are right, caffeine doesn't sees the 'web' middleware-group. I think I know how it can be fixed: by manually adding the route with the middlware-group

[mikebronner]

I'll close this as the csrf-token is not meant to be updated. Looks like you already started the other issue. :)