search

taoensso / sente

Realtime web comms library for Clojure/Script
https://www.taoensso.com/sente
Eclipse Public License 1.0
1.74k stars 193 forks source link

Example fails if first url exists in resources #318

Closed jacovig closed 4 years ago

jacovig commented 6 years ago

When your first url (e.g. /index.html) exists in resources, no csrf token is ever transmitted. Seems to be due to wrap-resources taking place before wrap-anti-forgery in wrap-default and so stealing the request, that does not get anti-forgery. Changing order (first anti-forgery, next wrap-resources) works like a charm.

ptaoussanis commented 6 years ago

Thanks for the report, PR welcome!

timothypratley commented 6 years ago

This issue seems to be with ring-defaults more than sente... ? I don't see a way Sente can get a csrf with the current ring wrap-defaults site-defaults behavior, so custom middleware wrapping is required. This seems like a really bad default for ring; I'll try to raise an issue on ring-defaults.

timothypratley commented 6 years ago

https://github.com/ring-clojure/ring-defaults/issues/23

timothypratley commented 6 years ago

Ring now puts anti-forgery in the request (for ring-defaults 0.3.2+) https://github.com/ptaoussanis/sente/pull/323 ^^ this small change looks for the token and uses it if available, and resolves the Sente issue.