How do I turn off the CSRF token requirement?

taoensso / sente

Realtime web comms library for Clojure/Script

https://www.taoensso.com/sente

Eclipse Public License 1.0

1.73k stars 193 forks source link

How do I turn off the CSRF token requirement? #364

Closed endrebak closed 4 years ago

endrebak commented 4 years ago

I am getting the warning in the console log:

WARN [taoensso.sente:1457] - WARNING: no CSRF token provided. Connections will FAIL if server-side CSRF check is enabled (as it is by default).

and later, unsurprisingly it says:

GET http://localhost:3000/chsk?udt=1580473950020&client-id=0af85a89-7d0d-43b1-a3b5-0b8730da8c1a&handshake%3F=true 403 (Forbidden)
WARN [taoensso.sente:1255] - Chsk is closed: will try reconnect attempt (1) in 1090 ms

I do not know what I doing, but I am guessing these two are related. I am just testing out sente for now. How do I turn off the CSRF check?

Screenshot 2020-01-31 at 13 36 13

ptaoussanis commented 4 years ago

Hi Endre! You can turn off the CSRF check with a nil :csrf-token-fn argument passed to socket-server!. You can see that fn's docstring for more info.

Would recommend against that though; adding a CSRF is quite easy- you can see an example of how this is done in the example project.

Hope that helps! Best of luck :-)

endrebak commented 4 years ago

Thanks! I dunno if there is any point in a CSRF token for a same machine app though: I will need to read up on it :)

n2o commented 2 years ago

Hi, I tried this, but there is still this error message in the js/console...

(defstate socket
  :start (sente/make-channel-socket!
          (get-sch-adapter)
          {:csrf-token-fn nil
           :user-id-fn (fn [ring-req]
                         (get-in ring-req [:parameters :query :client-id]))}))