Registration from client drop (Plug.CSRFProtection.InvalidCSRFTokenError)


I’m trying to make an app using Phoenix on the server side and android as a client. I’m using pow and its extension PowEmailConfirmation for user managing.

Everything is working fine on the server, getting the email and the user registered in database:

[info] POST /registration
[debug] Processing with Pow.Phoenix.RegistrationController.create/2
Parameters: %{"_csrf_token" => “BysGcQ4-fTYgBQw2YlZnMA1KO3YhCA8AvYoEOSIfTTER7oWUJ0OBhgfh”, “user” => %{“email” => “”, “password” => “[FILTERED]”, “password_confirmation” => “[FILTERED]”}}
Pipelines: [:browser]
[debug] QUERY OK db=0.3ms queue=0.2ms idle=1492.1ms
begin []
[debug] QUERY OK db=10.1ms
INSERT INTO “users” (“email”,“email_confirmation_token”,“password_hash”,“inserted_at”,“updated_at”) VALUES ($1,$2,$3,$4,$5) RETURNING “id” [“”, “e4737015-03dc-4c1e-a531-170fc5ff5a78”, “$pbkdf2-sha512$100000$VDC+ReQClSWlqVg8JyH0UQ==$t9L1xYjHkfoNQ+IVz15lWjdkMd/3PrlZp9V+WY/lD6WxHIGM7E5/Ri70dxVWJd5MNhtUu/nlrrqlr4ehCjYTzg==”, ~N[2021-06-08 11:18:58], ~N[2021-06-08 11:18:58]]
[debug] QUERY OK db=3.0ms
commit []

But the problem begins when I try to register an user from the client. First, it demanded the csrf_token, so I got it using this function in a controller:

def gettoken(conn, _params) do
token = get_csrf_token()
json(conn, %{token: token})

And it works fine, but I’m still getting the same error I got without the csrf_token:

[info] POST /registration/
[debug] Processing with Pow.Phoenix.RegistrationController.create/2
Parameters: %{"_csrf_token" => “QV4MMwthASkCfkQDYSMgCUJbW0ECeyAcyhGUJRmlP716Rnrp4co2f6xN”, “email” => “”, “password” => “[FILTERED]”, “password_confirmation” => “[FILTERED]”}
Pipelines: [:browser]
[info] Sent 403 in 5ms
[debug] ** (Plug.CSRFProtection.InvalidCSRFTokenError) invalid CSRF (Cross Site Request Forgery) token, please make sure that:

  • The session cookie is being sent and session is loaded
  • The request include a valid ‘_csrf_token’ param or ‘x-csrf-token’ header
    (plug) lib/plug/csrf_protection.ex:311:
    (filmoteca) FilmotecaWeb.Router.browser/2
    (filmoteca) lib/filmoteca_web/router.ex:1: FilmotecaWeb.Router.pipe_through0/1
    (phoenix) lib/phoenix/router.ex:347:
    (filmoteca) lib/filmoteca_web/endpoint.ex:1: FilmotecaWeb.Endpoint.plug_builder_call/2
    (filmoteca) lib/plug/debugger.ex:136: FilmotecaWeb.Endpoint.“call (overridable 3)”/2
    (filmoteca) lib/filmoteca_web/endpoint.ex:1:
    (phoenix) lib/phoenix/endpoint/cowboy2_handler.ex:65: Phoenix.Endpoint.Cowboy2Handler.init/4
    (cowboy) /home/dabiz/filmoteca/deps/cowboy/src/cowboy_handler.erl:37: :cowboy_handler.execute/2
    (cowboy) /home/dabiz/filmoteca/deps/cowboy/src/cowboy_stream_h.erl:306: :cowboy_stream_h.execute/3
    (cowboy) /home/dabiz/filmoteca/deps/cowboy/src/cowboy_stream_h.erl:295: :cowboy_stream_h.request_process/3
    (stdlib) proc_lib.erl:249: :proc_lib.init_p_do_apply/3

I don’t know if I’ve missed something or it’s just the way I introduce the user, which is out of the structure %User, but I don’t know hot to send it in that way using Retrofit2.

Thank you! And sorry for my English.

I think the problem is in here, but don’t know how to solve it.