search

statamic / cms

The core Laravel CMS Composer package
https://statamic.com
Other
3.71k stars 508 forks source link

CSRF token error with forms and static caching #9162

Closed robdekort closed 9 months ago

robdekort commented 9 months ago

Bug description

I recently switched to precognition for forms and form submission. Therefore I deleted all custom CSRF token stuff I used to have when submitting forms using fetch() as I was under the impression Statamic handles that these days. Unfortunately on production with static caching I get a 419 error in the console when the token expires.

How to reproduce

  1. Use a Peak form
  2. Use static caching
  3. Let stuff expire

Logs

No response

Environment

Environment
Application Name: Studio 1902
Laravel Version: 10.35.0
PHP Version: 8.2.10
Composer Version: 2.5.8
Environment: local
Debug Mode: ENABLED
URL: 1902.test
Maintenance Mode: OFF

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: NOT CACHED

Drivers
Broadcasting: log
Cache: statamic
Database: mysql
Logs: stack / single
Mail: smtp
Queue: sync
Session: file

Locales
Installed
LaravelLang\Attributes\Plugin: 2.5.1
LaravelLang\HttpStatuses\Plugin: 3.6.3
LaravelLang\Lang\Plugin: 13.11.0
Locales Version: 1.9.0
Protected
Publisher Version: 15.0.2

Livewire
Livewire: v3.2.6

Statamic
Addons: 6
Antlers: runtime
Stache Watcher: Enabled
Static Caching: Disabled
Version: 4.39.0 PRO

Statamic Addons
jonassiewertsen/statamic-livewire: 3.0.0
ryanmitchell/statamic-translation-manager: 1.2.2
studio1902/statamic-peak-browser-appearance: 3.3.2
studio1902/statamic-peak-commands: 3.1.0
studio1902/statamic-peak-seo: 7.3.1
studio1902/statamic-peak-tools: 4.0.2

Installation

Starter Kit using via CLI

Antlers Parser

None

Additional details

No response

robdekort commented 9 months ago

BTW I also have a site on production I could add you to, so you can play around with the issue.

jasonvarga commented 9 months ago

You need to add the X-CSRF-TOKEN header in your javascript if you're submitting via ajax.

jasonvarga commented 9 months ago

Looks like you removed that when you refactored to precognition.

https://github.com/studio1902/statamic-peak-tools/commit/a4d3e46e1d2200f42ed868d8c8e5666c55da0920#diff-67dc6199fc05b44468306b2bc912e4212ec43541652651def4e83a1f95327308L26

robdekort commented 9 months ago

Seems I got myself into way more trouble than I should've. I figured it would use the hidden _token field when the form got submitted. I'll look into it. Thanks Jason.

robdekort commented 9 months ago

The $form helper does seem to submit the token. I took the submission snippet straight from the Precognition docs.

Screenshot 2023-12-08 at 15 59 18