Server side rendered form delivered through channel csrf_token issue

Phoenix Forum Questions / Help
, , ,
1

I’m trying to render a form server side and deliver it over a channel. I can render the form and display it correctly but I’m getting an invalid csrf_token error when I try to post the form.

Can anyone help me troubleshoot this. I’ve tried to set the _csrf_token field to the same as the original session but I still get the same error.

Thanks,

Jeff

2

Have you tried sending a new CSRF with the new form?

Also you might look at using Drab for this as its designed precisely for purposes like that.

3

I wonder whether this is tripping you up:

When posting a form with a host in its address, such as “//host.com/path” instead of only “/path”, Phoenix will include the host signature in the token and validate the token only if the accessed host is the same as the host in the token. This is to avoid tokens from leaking to third party applications. If this behaviour is problematic, you can generate a non-host specific token with Plug.CSRFProtection.get_csrf_token/0 and pass it to the form generator via the :csrf_token option.

And

If you are sending data to a full URI, such as //subdomain.host.com/path or //external.com/path , instead of a simple path such as /path , you may want to consider using get_csrf_token_for/1 , as that will encode the host in the CSRF token. Once received, Plug will only consider the CSRF token to be valid if the host encoded in the token is the same as the one in conn.host .

  <div>get_csrf_token: <%= "#{inspect Plug.CSRFProtection.get_csrf_token()}" %></div>
  <div>get_csrf_token_for: <%= "#{inspect Plug.CSRFProtection.get_csrf_token_for(Plug.Conn.request_url(@conn))}" %></div>
  <div>session _csrf_token: <%= "#{inspect Plug.Conn.get_session(@conn,"_csrf_token")}"  %></div>


get_csrf_token: "Aj0JAQsBOQ4BAD1BLh0yQVM9LzImNgAAJWc0oYhX2LJ+wDs1bvVvVg=="
get_csrf_token_for: "SFMyNTY.VXNyTUFWdGxSRDFQWlFobGd2ZFVPUT09bG9jYWxob3N0.gGQhCqEGKZ3qkXsHNwvB7AP4jt9T5TWle5OoUPi5GrQ"
session _csrf_token: "Hjj1dXQV3LwjYYAp1KyDpQ=="

_csrf_token is simply the “unmasked” CSRF token - your particular form element may have Phoenix looking for the token that includes the host.

Edit: Looking at the source code I’m guessing you can’t use the raw _csrf_token in the form element. In the absence of the host in the URL you have to use the masked value from Plug.CSRFProtection.get_csrf_token/0 otherwise use Plug.CSRFProtection.get_csrf_token_for/1 .

See also: Elixir, Phoenix, CSRF tokens

4 Likes
4

Thanks for the info. I haven’t been able to try this yet but will give it a shot and will definitely reply back if I figure it out.

5

Thanks for the reply. Yes, I tried sending a new CSRF. i think I need to do some more research and see exactly when and where it is validated and see what is’nt reconciling. Drab looks cool, but i think I’m gonna wait and see how awesome LiveView is :slight_smile:

1 Like