fastapi-jwt-auth icon indicating copy to clipboard operation
fastapi-jwt-auth copied to clipboard
verified publisher icon IndominusByte

Missing CSRF token on post

Open pocket5s opened this issue 5 years ago • 9 comments

Tokens seem to work fine with get calls, but on a post call I get a "Missing CSRF token" on a jwt_required() call. I've verified the cookies are all set by dumping out the incoming headers.

pocket5s avatar Dec 10 '20 03:12 pocket5s

you can check on the same issues #25 , I will fix the documentation later I'm sorry for the inconvenience 🙏

IndominusByte avatar Dec 10 '20 09:12 IndominusByte

That gives me "CSRF double submit tokens do not match". that is putting the refresh token in the X-CSRF-TOKEN header.

pocket5s avatar Dec 10 '20 14:12 pocket5s

Check out using csrf_access_token instead of csrf_refresh_token accesstoken

silicology1 avatar Dec 10 '20 14:12 silicology1

That worked. So why do I need that if it already a cookie and on a post and not a get?

pocket5s avatar Dec 10 '20 14:12 pocket5s

Check it out: https://stackoverflow.com/questions/34782493/difference-between-csrf-and-x-csrf-token An alternative approach (called the "Cookie-to-header token" pattern) is to set a Cookie once per session and the have JavaScript read that cookie and set a custom HTTP header (often called X-CSRF-TOKEN or X-XSRF-TOKEN or just XSRF-TOKEN) with that value. Any requests will send both the header (set by Javascript) and the cookie (set by the browser as a standard HTTP header) and then the server can check that value in the X-CSRF-TOKEN header matches the value in the cookie header. The idea being that only JavaScript run on the same domain would have access to the cookie, so JavaScript from another domain couldn't set this header to the right value (assuming the page is not vulnerable to XSS that would give access to this cookie). Even fake links (e.g. in a phishing email) would not work either, as even though they would appear to come from the right domain, only the cookie will be set but not X-CSRF-TOKEN header.

silicology1 avatar Dec 10 '20 14:12 silicology1

That worked. So why do I need that if it already a cookie and on a post and not a get?

GET requests should also never make state changes to the system, therefore should not be required to have CSRF protection. request methods are considered "safe" if their defined semantics are essentially read-only of the request methods defined by this specification, the GET, HEAD, OPTIONS, and TRACE methods are defined to be safe.

and thank you so much @amiyatulu for sharing with us 😄 🙏

IndominusByte avatar Dec 10 '20 14:12 IndominusByte

ok. yeah without documentation that is really confusing :)

pocket5s avatar Dec 10 '20 14:12 pocket5s

I'm sorry for the inconvenience I will fix the documentation later thank you @pocket5s 🙏

IndominusByte avatar Dec 10 '20 14:12 IndominusByte

Check it out: https://stackoverflow.com/questions/34782493/difference-between-csrf-and-x-csrf-token An alternative approach (called the "Cookie-to-header token" pattern) is to set a Cookie once per session and the have JavaScript read that cookie and set a custom HTTP header (often called X-CSRF-TOKEN or X-XSRF-TOKEN or just XSRF-TOKEN) with that value. Any requests will send both the header (set by Javascript) and the cookie (set by the browser as a standard HTTP header) and then the server can check that value in the X-CSRF-TOKEN header matches the value in the cookie header. The idea being that only JavaScript run on the same domain would have access to the cookie, so JavaScript from another domain couldn't set this header to the right value (assuming the page is not vulnerable to XSS that would give access to this cookie). Even fake links (e.g. in a phishing email) would not work either, as even though they would appear to come from the right domain, only the cookie will be set but not X-CSRF-TOKEN header.

Thank you very much. This is exactly what I needed for it to work.

fredrare avatar Dec 22 '20 03:12 fredrare