No connection to socket without CSRF Token

I am trying to send curl requests to my phoenix app but I am having trouble with the CSRF tokens.

I am happy to just remove this protection (this is a small test app and security isn’t an issue) but when I remove plug :protect_from_forgery from the router.ex then the app keeps giving errors:
[debug] LiveView session was misconfigured or the user token is outdated.

If I remove <%= csrf_meta_tag() %> from the root.html.ex page then I don’t get any more errors but the socket doesn’t connect.

Is there a way to get the live view socket to connect without having plug :protect_from_forgery present?
Or is there an easy way to get curl request to work with csrf tokens?


1 Like

Yes. You need to get rid of everything regarding sessions. See here for an example:

Whether this is ok security wise is up to you. For most applications, it may be easier to have duplicated routes for api access:

  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_flash
    plug :protect_from_forgery
    plug :put_secure_browser_headers

  pipeline :api do
    plug :accepts, ["html", "json"]
1 Like

Thanks but that just gives a new error:
** (ArgumentError) cannot fetch session without a configured session plug

Like I said before:

You need to get rid of everything regarding sessions.

Sorry I understand now. I have set up a duplicate route for api access.

Thank you