insomnia icon indicating copy to clipboard operation
insomnia copied to clipboard

Published 20 hours ago verified publisher icon Kong

Laravel XSRF-TOKEN cookie being stored with URL encoding incorrectly

Open boardy opened this issue 3 years ago • 12 comments

When working with Laravel API project using Sanctum for authentication and CSRF protection, when the XSRF-TOKEN is stored in the cookie store, it seems to be URL encoded incorrectly as the cookie string usually ends in = but Insomnia stores it as %3D.

For example, I get the following XSRF-TOKEN received and stored in the Insomnia Cookie Store

eyJpdiI6Iml5YWEreGVaYUw0WGc2QmxlVEhQOGc9PSIsInZhbHVlIjoieVU2bmdyTjMyNFM0d0dnb3RsM24rMDFhRnJNWHVLcGg2SU9YMHh5dW8yaTZSTWcxbGxtSFdaK0I5MzB4Ymc4QWZWSzhjN2R6Y1RUTTc0d1VIY2FUaVhGMVE4bzQvWVBmL1YvajAwY3ZUNlZ4VEZIRk12cloyV0owVmNYOUxEZTIiLCJtYWMiOiI4OTUyN2U1MGI3NmUyMjEzZjgyNDcxMjAwYmViYjRkNzAwYmQ1YWUxOGY5NTYyNTVhZDczMmQ0ZjdlNjQwMGFhIn0%3D

When it should be

eyJpdiI6Iml5YWEreGVaYUw0WGc2QmxlVEhQOGc9PSIsInZhbHVlIjoieVU2bmdyTjMyNFM0d0dnb3RsM24rMDFhRnJNWHVLcGg2SU9YMHh5dW8yaTZSTWcxbGxtSFdaK0I5MzB4Ymc4QWZWSzhjN2R6Y1RUTTc0d1VIY2FUaVhGMVE4bzQvWVBmL1YvajAwY3ZUNlZ4VEZIRk12cloyV0owVmNYOUxEZTIiLCJtYWMiOiI4OTUyN2U1MGI3NmUyMjEzZjgyNDcxMjAwYmViYjRkNzAwYmQ1YWUxOGY5NTYyNTVhZDczMmQ0ZjdlNjQwMGFhIn0=

Notice the = on the end as it should be instead of %3D which is what insomnia stores it as so this needs to be modified and manually updated each time to ensure Laravel can perform the CSRF protection.

boardy avatar Jun 16 '21 21:06 boardy

Is it possible that you can make a mockbin.org that I could use to reproduce this?

dimitropoulos avatar Jun 17 '21 13:06 dimitropoulos

Hi Dimitri,

I managed to replicate it using mockbin. If you send a POST request to http://mockbin.org/bin/54e06b59-0cd9-4cbf-b40c-f96883f7794f?foo=bar&foo=baz

It will generate a cookie called XSRF-TOKEN where the value should be HelloWorld= but Insomnia is showing it stored as HelloWorld%3D

Thanks

Chris Board

On Thu, 17 Jun 2021 at 14:28, Dimitri Mitropoulos @.***> wrote:

Is it possible that you can make a mockbin.org that I could use to reproduce this?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Kong/insomnia/issues/3482#issuecomment-863239340, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCS2M3KM54BDLC5VWFEOE3TTHZ7DANCNFSM462JK5NA .

-- Chris Board Website Developer/Administrator Software Developer https://boardiesitsolutions.com https://support.boardiesitsolutions.com

boardy avatar Jun 17 '21 13:06 boardy

perfect. was able to reproduce. thank you!

dimitropoulos avatar Jun 17 '21 14:06 dimitropoulos

Just spent 5 hours on this until I found this issue. At least it has been recognized

abbluiz avatar Jun 21 '21 20:06 abbluiz

@abbluiz I'm super sorry to hear that. I've totally been there too, myself, for what it's worth, so I can relate to how frustrating it is.

I've mentioned this to our product team and will hope we can take a closer look at it soon. To be transparent, the team is pretty hyper-focused on spaces right now so it won't be in the next release, but hopefully we can find time right after the first push of spaces.

dimitropoulos avatar Jun 22 '21 15:06 dimitropoulos

@dimitropoulos Thank you. I actually found an insomnia plugin that happens to "fix" this, however it's probably better to have this fixed without using plugins anyways. It may help the team: https://insomnia.rest/plugins/insomnia-plugin-cookiedecode

abbluiz avatar Jun 22 '21 20:06 abbluiz

Unless I'm missing something the plugin doesn't seem to work. I still need to manually edit the cookie each time.

I'm disappointed to hear that this isn't being given priority over a feature. As cookie handling is quite a vital part of a REST client app so I would have thought this should have a fairly high priority. I spent 5 days while learning Laravel thinking I was implementing wrong or misunderstanding the tutorial to discover Insomnia was the problem.

boardy avatar Jun 22 '21 21:06 boardy

@boardy The plugin does not fix it being stored that way, but you can use it to send it back to Laravel by calling it through the Header section. You put X-XSRF-TOKEN and the decoded cookie as the value using the plugin. However, after getting past the 419 errors I was getting, I am still getting 401 errors when I try using protected API routes after login.

abbluiz avatar Jun 23 '21 13:06 abbluiz

@abbluiz Ah yea that did it. Was thinking it was an automatic thing not a separate cookie option. Thanks

boardy avatar Jun 23 '21 15:06 boardy

@abbluiz You need to provide Origin header to avoid 401 errors.

Anyway, the third-party plugin works, but I wish there was some built-in way to decode a value here:

image

adiachenko avatar Oct 18 '21 11:10 adiachenko

@adiachenko Yeah, I figured out the other problems. Thank you, though. Also waiting for this built-in feature.

abbluiz avatar Oct 18 '21 17:10 abbluiz

@abbluiz you are a legend! I lost hours trying to figure this out too. It's a shame because I love the simplicity of Insomnia but it looks like core bugs are not being looked at over features.

garethredfern avatar Feb 12 '22 11:02 garethredfern

Thank you @abbluiz for the workaround using the plugin, saved me lots of time. Would be great if this was a built-in feature

tchartron avatar Feb 24 '24 14:02 tchartron