Closed eneroth closed 3 years ago
Hi Henrik,
Only had the opportunity to skim this - but just checking that you saw the example project? Was that no help?
Hi!
I've largely followed the example project, with three differences:
Other than that, I'm following the basic structure of the example project pretty closely.
It works as intended with :csrf-token-fn nil
.
Assuming the example project is working as intended - have you tried maybe introducing your differences to the example 1-at-a-time to see which specific change is causing trouble?
After some vigorous logging, it seems that the token is escaped at some point when transferred to the client. Maybe Ring escapes it as it is set as cookie?
Either way it doesn't seem to be a problem with Sente itself: inspecting the cookie in the browser confirms that it's escaped before reaching storage, not upon retrieval.
{:server-token "OWFYMPMAaJyr1np0F/rJ89CdS4t6YhE3+PamQQHbvoS3lcSNYhVydH16Bww0A96BVWhlsxcDJB159BE0"
:client-token "OWFYMPMAaJyr1np0F%2FrJ89CdS4t6YhE3%2BPamQQHbvoS3lcSNYhVydH16Bww0A96BVWhlsxcDJB159BE0"
:ok? false}
Yep, my fault for making assumptions and not reading the docs, as it turns out:
wrap-cookies
(wrap-cookies handler)
(wrap-cookies handler options)
Parses the cookies in the request map, then assocs the resulting map
to the :cookies key on the request.
Accepts the following options:
:decoder - a function to decode the cookie value. Expects a function that
takes a string and returns a string. Defaults to URL-decoding.
:encoder - a function to encode the cookie name and value. Expects a
function that takes a name/value map and returns a string.
Defaults to URL-encoding.
Solution:
Just make sure to URL decode token before handing to Sente:
(def cookies (Cookies. js/document))
(def csrf-token (js/decodeURIComponent (cookies.get "csrf-token")))
(Thanks for the suggestions along the way!)
Great, happy you found a solution Henrik. Thanks a lot for sharing the details- they could be helpful for others! Cheers :-)
Another common reason why a Reitit users could have a Bad CSRF token issue: https://github.com/metosin/reitit/issues/205
I'm bashing my head against the CSRF token.
This is what happens:
anti-forgery
generates a token. I grab that and set it in a cookie in the response:Then retrieve it from there in CLJS:
3 repeats forever, with
Bad CSRF token
as the only response.What am I doing wrong here?