Strange "cannot fetch key "_csrf_token" from conn.body_params because they were not fetched"

axelson · October 28, 2020, 8:40pm

I’m encountering the following error and I’m not sure why:
cannot fetch key "_csrf_token" from conn.body_params because they were not fetched

I’m on Phoenix 1.5.3, but I don’t see any fixes in newer versions

Looking into this a bit body_params is set by Plug.Parsers and my configuration is standard:

plug Plug.Parsers,
  parsers: [:urlencoded, :multipart, :json],
  pass: ["*/*"],
  json_decoder: Phoenix.json_library()

And I don’t have any other plugs in my Endpoint that should be reading body_params

Also my browser pipeline is pretty standard (and this request did go through this pipeline):

pipeline :browser do
  plug :accepts, ["html"]
  plug :fetch_session
  plug :fetch_live_flash
  plug :protect_from_forgery
  plug :put_secure_browser_headers
  plug :require_not_banned
  plug :fetch_current_user
end

Any ideas on where to look?

al2o3cr · October 29, 2020, 2:07am

protect_from_forgery uses Plug.CsrfProtection which has a very similar-sounding bug:

Looks like it was fixed a couple months back on master but not yet released.

axelson · October 29, 2020, 2:17am

Thanks! That does seem like what I may be seeing. Looks like that change never made it to the changelog. I’ll update plug and hopefully it’ll be handled better after that.

josevalim · October 29, 2020, 8:17am

v1.11.0 released.

axelson · October 29, 2020, 8:51am

Thanks José!

thiagomajesk · December 27, 2020, 2:36am

Just had the same issue using Phoenix 1.5.4. Upgraded to 1.5.7 and it solved for me