Cannot get basic version of in-browser Javascript application documentation working about csrf HOT 8 CLOSED

The error always comes from csrf.go, line 216:

realToken, err := cs.st.Get(r)

err is always "http: named cookie not present"

So it seems that axios is not sending it?

from csrf.

someone know it?
almost same problem

from csrf.

I actually figured this out, at least for serving on localhost: https://github.com/francoposa/go-csrf-examples (sorry for no documentation yet but the code is simple).

It's about the CORS settings, here's what I use for the API server (see config.local.yaml files in repo).
It's a shame CORS is not mentioned in the documentation.

---
server:
  host: localhost
  port: 8080
  timeout:
    server: 30
    read: 15
    write: 10
    idle: 5
  cors:
    allowCredentials: true
    allowedHeaders:
      - X-CSRF-Token
    exposedHeaders:
      - X-CSRF-Token
    allowedOrigins:
      - http://localhost*
    debug: true
  csrf:
    secure: false  # false in development only!
    key: place-your-32-byte-long-key-here
    cookieName: csrf
    header: X-CSRF-Token

For the UI side, I wrote a quick static file server so that the JavaScript is served from localhost. Just opening the index.html file in the browser will not register to the API server as the requests coming from localhost.

Also see that Axios lowercases all the headers it receives from the response: https://github.com/francoposa/go-csrf-examples/blob/main/ui/axios-js/web/static/index.js#L6

from csrf.

@francoposa are there specific changes to the docs you can suggest given the above?

from csrf.

Hi @DavidLarsKetch

I have forked with the intention of doing all of the below, but have been otherwise occupied since then.

If anyone feels inspired to tackle it before I get to it, I do feel pretty confident that the CORS configuration in my example repo is the absolute minimum config to get this working, with no extra stuff. I played around with this for days trying to get it as simple as possible.

Documentation updates in order of effort and helpfulness least to most:

1. Some mention that the JavaScript examples won't work without applying CORS configuration to the server
2. Linking to suggested CORS libraries
3. Describing what a working CORS configuration would be
4. Working code examples
   ... Extra credit? Maybe a basic description of the necessary CORS settings (AllowCredentials, ExposedHeaders, AllowedHeaders) and why they're needed

from csrf.

@francoposa thanks for the direction. I'll throw updated docs together if you want to hand that off.

from csrf.

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.

from csrf.

Not stale; still an issue and the PR to fix has not been looked at to my knowledge

from csrf.