Error -> cannot generate CSRF token for a host because

jos · March 25, 2018, 7:46pm

hmm, I ran a mix deps.update --all and I think I got a new version of plug (1.5) installed.
Im getting an error now on a call to a different Phoenix umbrella app.

cannot generate CSRF token for a host because get_csrf_token_for/1 is invoked in a separate process than the one that started the request

Im running an umbrella behind a proxy, so I think the error is correct, its a separate proces where the call is coming from

I read in the plug documentation allow_hosts option, maybe this would solve my problem?
But where so i set this option in phoenix?

sean · March 29, 2018, 9:43pm

I’m also experiencing this issue.

OvermindDL1 · March 29, 2018, 9:54pm

A few things could cause this, one is not having the CSRF protection plugin the pipeline, another would be having a server handle the request for the wrong host, etc…

See code at:

github.com

elixir-plug/plug/blob/fbc55581457b6263053573867fb876d90a5517b0/lib/plug/csrf_protection.ex#L181




    %{secret_key_base: secret} = secrets ->
      unmasked = unmasked_csrf_token()
      message = generate_token() <> host
      key = KeyGenerator.generate(secret, unmasked)
      token = MessageVerifier.sign(message, key)
      Process.put(:plug_csrf_token_per_host, Map.put(secrets, host, token))
      token


    _ ->
      raise "cannot generate CSRF token for a host because get_csrf_token_for/1 is invoked " <>
              "in a separate process than the one that started the request"
  end
end


@doc """
Deletes the CSRF token from the process dictionary.


This will force the token to be deleted once the response is sent.
"""
def delete_csrf_token do

sean · March 29, 2018, 10:20pm

Thanks for help. FWIW I’m seeing this error in a Phoenix app which appears to be invoking the Plug.CSRFProtection, i.e. it’s not explicitly listed in my Plug pipeline.

 test/views/layout_view_test.exs:38
 ** (RuntimeError) cannot generate CSRF token for a host because get_csrf_token_for/1 is invoked in a separate process than the one that started the request
 stacktrace:
   (plug) lib/plug/csrf_protection.ex:181: Plug.CSRFProtection.get_csrf_token_for/1
   (phoenix_html) lib/phoenix_html/tag.ex:267: Phoenix.HTML.Tag.csrf_token_tag/3
   (phoenix_html) lib/phoenix_html/tag.ex:220: Phoenix.HTML.Tag.form_tag/2
   (phoenix_html) lib/phoenix_html/form.ex:288: Phoenix.HTML.Form.form_for/4
...

sean · March 30, 2018, 12:20am

Looks like maybe Phoenix.HTML doesn’t provide a way to thread the :allow_hosts option through to its call to Plug.CSRFProtection.get_csrf_token_for:

github.com

phoenixframework/phoenix_html/blob/c5843aedc92ade21f6c6a544b7538b90f6e5d257/lib/phoenix_html/tag.ex#L267


def form_tag(action, options, do: block) do
  html_escape([form_tag(action, options), block, raw("</form>")])
end


defp csrf_token_tag(to, opts, extra) do
  case Keyword.pop(opts, :csrf_token, true) do
    {csrf_token, opts} when is_binary(csrf_token) ->
      {extra <> ~s'<input name="#{@csrf_param}" type="hidden" value="#{csrf_token}">', opts}


    {true, opts} ->
      csrf_token = Plug.CSRFProtection.get_csrf_token_for(to)
      {extra <> ~s'<input name="#{@csrf_param}" type="hidden" value="#{csrf_token}">', opts}


    {false, opts} ->
      {extra, opts}
  end
end


@doc """
Generates a meta tag with CSRF information.

OvermindDL1 · March 30, 2018, 2:51pm

So is this only happening during testing?

jos · March 30, 2018, 3:16pm

Nope, it happens on :dev :test and :prod

I ‘fixed’ my problem to move the rendering of form partials to the same host as where the call is coming from.

I didnt look further in it for now because I needed a quick fix. It seems to do with plug 1.5 and html_phoenix, form_for

OvermindDL1 · March 30, 2018, 4:12pm

Wait what? How are you generating form partials on ‘other’ servers? o.O

jos · March 30, 2018, 7:27pm

Yes I do

OvermindDL1 · March 30, 2018, 9:11pm

How though? I’m quite curious!

griffinbyatt · March 31, 2018, 12:13am

The allow_hosts option will be configured with the protect_from_forgery plug in your router!

daveboo · April 8, 2020, 12:06am

I can’t find any help on how to do this?