Comments (8)
The error always comes from csrf.go
, line 216:
realToken, err := cs.st.Get(r)
err is always "http: named cookie not present"
So it seems that axios is not sending it?
from csrf.
someone know it?
almost same problem
from csrf.
I actually figured this out, at least for serving on localhost: https://github.com/francoposa/go-csrf-examples (sorry for no documentation yet but the code is simple).
It's about the CORS settings, here's what I use for the API server (see config.local.yaml
files in repo).
It's a shame CORS is not mentioned in the documentation.
---
server:
host: localhost
port: 8080
timeout:
server: 30
read: 15
write: 10
idle: 5
cors:
allowCredentials: true
allowedHeaders:
- X-CSRF-Token
exposedHeaders:
- X-CSRF-Token
allowedOrigins:
- http://localhost*
debug: true
csrf:
secure: false # false in development only!
key: place-your-32-byte-long-key-here
cookieName: csrf
header: X-CSRF-Token
For the UI side, I wrote a quick static file server so that the JavaScript is served from localhost. Just opening the index.html file in the browser will not register to the API server as the requests coming from localhost.
Also see that Axios lowercases all the headers it receives from the response: https://github.com/francoposa/go-csrf-examples/blob/main/ui/axios-js/web/static/index.js#L6
from csrf.
@francoposa are there specific changes to the docs you can suggest given the above?
from csrf.
I have forked with the intention of doing all of the below, but have been otherwise occupied since then.
If anyone feels inspired to tackle it before I get to it, I do feel pretty confident that the CORS configuration in my example repo is the absolute minimum config to get this working, with no extra stuff. I played around with this for days trying to get it as simple as possible.
Documentation updates in order of effort and helpfulness least to most:
- Some mention that the JavaScript examples won't work without applying CORS configuration to the server
- Linking to suggested CORS libraries
- Describing what a working CORS configuration would be
- Working code examples
... Extra credit? Maybe a basic description of the necessary CORS settings (AllowCredentials, ExposedHeaders, AllowedHeaders) and why they're needed
from csrf.
@francoposa thanks for the direction. I'll throw updated docs together if you want to hand that off.
from csrf.
This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.
from csrf.
Not stale; still an issue and the PR to fix has not been looked at to my knowledge
from csrf.
Related Issues (20)
- [question] X-Csrf-Token is empty in Response headers (Secure is off) HOT 10
- [question] How to use gorilla/csrf for CSRF protection when authenticating with OpenID Connect? HOT 4
- Does gorilla-csrf really provide more security? HOT 7
- Default path can cause unexpected CSRF token rejections HOT 4
- [bug] Change default request header onto custom HOT 3
- csrf.go: ErrBadReferer due to empty r.URL.Host HOT 1
- [bug] Not providing token results in wrong error HOT 1
- [question] How do I set csrf token from React HOT 1
- Multiple _gorilla_csrf cookies create an issue HOT 2
- [bug] README.md does not mention the need to keep the CSRF key secret HOT 1
- user disabled/blocked cookies on their browser.
- [docs] HOT 1
- Package is not `go get`able [bug] HOT 2
- CSRF middlware is not usable with go gin HOT 1
- [bug] Generate CSRF tokens for skipped requests
- Forbidden - CSRF token invalid
- [BUG] Middleware doesn't work with Chi HOT 1
- First request to protected endpoint fails, CSRF header is empty
- [Question] How to log HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from csrf.