Open Boc-chi-no opened 12 months ago
I have the same issue, the message appears each second in the nextcloud.log file just exhausting it:
[no app in context] Debug: OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException: CSRF check failed at <<closure>>
0. /var/www/html/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php line 96
OC\AppFramework\Middleware\Security\SecurityMiddleware->beforeController()
1. /var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 129
OC\AppFramework\Middleware\MiddlewareDispatcher->beforeController()
2. /var/www/html/nextcloud/lib/private/AppFramework/App.php line 183
OC\AppFramework\Http\Dispatcher->dispatch()
3. /var/www/html/nextcloud/lib/private/Route/Router.php line 315
OC\AppFramework\App::main()
4. /var/www/html/nextcloud/lib/base.php line 1068
OC\Route\Router->match()
5. /var/www/html/nextcloud/index.php line 36
OC::handleRequest()
GET /apps/files/api/v1/stats
from ***.***.***.*** by username at 2023-10-21T11:54:33+03:00
Receiving the same on 27.1, unable to login or reset password.
Debug no app in context OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException: CSRF check failed at 2023-11-10T22:48:24+00:00
.../Middleware/Security/SecurityMiddleware.php line 224
0. .../Middleware/MiddlewareDispatcher.php line 96
OC\AppFramework\Middleware\Security\SecurityMiddleware->beforeController(
["OC\\Core\\Controller\\WebAuthnController"],
"startAuthentication"
)
1. lib/private/AppFramework/Http/Dispatcher.php line 129
OC\AppFramework\Middleware\MiddlewareDispatcher->beforeController(
["OC\\Core\\Controller\\WebAuthnController"],
"startAuthentication"
)
2. lib/private/AppFramework/App.php line 183
OC\AppFramework\Http\Dispatcher->dispatch(["OC\\Core\\Controller\\WebAuthnController"], "startAuthentication")
3. lib/private/Route/Router.php line 315
OC\AppFramework\App::main(
"OC\\Core\\Controller\\WebAuthnController",
"startAuthentication",
["OC\\AppFramework\\DependencyInjection\\DIContainer"],
["core.WebAuthn.startAuthentication"]
)
4. lib/base.php line 1068
OC\Route\Router->match("\/login\/webauthn\/start")
5. index.php line 36
OC::handleRequest(
)
Same here. I have "CSRF check failed" when I log out. And it does not log me out Server 28.0.2.5 php 8.2 Mariadb 10.6.14
with occ log:watch
Debug no app in context OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException: CSRF check failed at 2024-02-22T13:31:58+00:00
.../Middleware/Security/SecurityMiddleware.php line 219
0. .../Middleware/MiddlewareDispatcher.php line 96
OC\AppFramework\Middleware\Security\SecurityMiddleware->beforeController(
)
1. lib/private/AppFramework/Http/Dispatcher.php line 129
OC\AppFramework\Middleware\MiddlewareDispatcher->beforeController(
)
2. lib/private/AppFramework/App.php line 184 OC\AppFramework\Http\Dispatcher->dispatch(
)
3. lib/private/Route/Router.php line 315
OC\AppFramework\App::main(
)
4. lib/base.php line 1069
OC\Route\Router->match(
)
5. index.php line 39
OC::handleRequest(
)
And in log :
{"reqId":"m7yIDjXDYl1bavgrqgD5","level":0,"time":"2024-02-22T13:42:15+00:00","remoteAddr":"80.125.52.13","user":"gab","app":"no app in context","method":"GET","url":"/logout?requesttoken=DeZBHtvacVl4jpRucZBplSIqPnZ%2Bp5Aj%2B%2BJ1pFdt3rE%3D%3ASp81dK%2BdJDgSzeddFtIawm5%2BdEMdzKhV1LMU9BkrjOM%3D","message":"CSRF check failed","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0","version":"28.0.2.5","exception":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException","Message":"CSRF check failed","Code":412,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":96,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":129,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":219,"message":"CSRF check failed","exception":{},"CustomMessage":"CSRF check failed"}}
Same here, NC 28.0.3, issue comes and goes. Access via IOS app works, but not with browsers.
My problem was resolved, and I was attempting to address another issue concerning slow access to Nextcloud. Upon checking the log, I discovered numerous occurrences of "GuzzleHttp\Exception\ConnectException: cURL error 28: Connection timed out after 10001 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://xxx.xxx.xxx/ocm-provider/ " I realized that this issue was associated with federated cloud. Therefore, I removed all federated cloud connections, which restored Nextcloud's performance to normal and inadvertently resolved the problem. Although I fail to comprehend the connection between these two issues.
Same here. I have "CSRF check failed" when I log out. And it does not log me out Server 28.0.2.5
I just experienced this on Server 28.0.3.
I visited the front page where it showed me the menus and chat mentions. I clicked the Log out link. The result was a Nextcloud-style Forbidden screen with a CSRF error. When I returned to the front page again and clicked Log out again, the problem went away that time.
The issue persists on NC 29, if I leave a login idle it will timeout and rather than logout it creates the csrf failure. However the login is not closed as I can change the url and re access the session; despite the fact that the session end should have occurred.
Do you have http2 enabled? I have this issue frequently, random things stop working with "Invalid action" error (like clicking on details of a file). Sometimes loading /files/files URL which should show root folder is just empty saying No Files. Refresh fixes it. When checking console, I see CSRF errors. refreshing page solves it. This is happening since like NC27 or so. Around the same time http2 was enabled on our rev proxy
This is still ongoing, for random actions. Like uploading file.
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>CSRF check not passed.</s:message>
</d:error>
Refreshing page fixes the issue.
⚠️ This issue respects the following points: ⚠️
Bug description
I am getting frequent HTTP 412 errors, it says {"message": "CSRF check failed"} I think everything I've configured is reasonable, since the upgrade to V26 it started to appear, recently upgraded to V27 the problem has become more frequent! According to my experiments and observations I found that this problem may have something to do with the layout's head tag, I use the data-requesttoken returned to me by the page's head to make a request will generate a 412 error, But when I use "/csrftoken" to get the token, making the request works! I have observed that this problem has been around for a long time and has not been resolved on the internet, so I hope to receive your further attention I'd like to make a suggestion if it's possible to catch a 412 error on the front-end and then Call /csrftoke to refresh the CSRF Token and immediately re-request it?
https://github.com/nextcloud/server/blob/master/core/templates/layout.base.php#L3 https://github.com/nextcloud/server/blob/master/core/Controller/CSRFTokenController.php#L57
Steps to reproduce
1.Clocking a page 2.Accessing an interface without the @NoCSRFRequired annotation
Expected behavior
The request was successful
Installation method
Community Manual installation with Archive
Nextcloud Server version
27
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.0
Web server
Nginx
Database engine version
MySQL
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
No response
Nextcloud Logs
Additional info
Nextcloud 27.1.0