sheehan / grails-console

A web-based Groovy console for interactive runtime application management and debugging
Apache License 2.0
78 stars 41 forks source link

4.0.0.RC1 Grails Incompatible - Server returned 403: CSRF token doesn't match. #71

Open codeconsole opened 5 years ago

codeconsole commented 5 years ago

The plugin does not work with Grails 4.0.0.RC1

Executing a script results in the following message: Server returned 403: CSRF token doesn't match. Please refresh the page.

Setup:

sdk use grails 4.0.0.RC1
grails create-app demo
cd demo
# add runtime 'org.grails.plugins:grails-console:2.1.1' to build.gradle
grails run-app

visit: http://localhost:8080/console/index#new and hit the play button/execute a script.

sheehan commented 5 years ago

I just tested and it seems to be working for me. Does it work for you after a page refresh?

codeconsole commented 5 years ago

Refresh has no impact. Interestingly, it will work in an incognito window.

Strange, I just tested 3.3.9 and it doesn't work either so I guess this isn't related to Grails 4.

I am using Chrome 74.0.3729.131 on Mac OS Mojave 10.14.4

This used to work fine. Not sure what is going on here. Any ideas?

codeconsole commented 5 years ago

Safari works fine.

codeconsole commented 5 years ago

Any ideas on what might be causing the issue in Chrome? I tried disabling all my extensions. Still doesn't work. Weird that it works in incognito mode.

sheehan commented 5 years ago

Strange. It works for me in Chrome (same Chrome and Mac version). Does it work if you set grails.plugin.console.csrfProtection.enabled = false

codeconsole commented 5 years ago

yes, and like I said, the csrfProtection works fine in an incognito window. Anything I can reveal by inspecting the headers?

sheehan commented 5 years ago

The execute call should send a X-CSRFToken header that matches what's stored in the session.

https://github.com/sheehan/grails-console/blob/master/grails3/plugin/grails-app/controllers/org/grails/plugins/console/TokenInterceptor.groovy#L14