invenio-app-rdm
invenio-app-rdm copied to clipboard
inveniosoftware
Investigate CSRF token not set
When the client sends a HTTP request (POST; PUT; PATCH; DELETE) for the first time without logging in (e.g. filling a form while incognito), the request does not have the CSRF token set.
See this issue for more information on how this happened in incognito
The flow to obtain the token is the following:
On login/logout
- Login / Logout (server resets the token and sets a new token in response)
- Browser has the token and sends it in future requests
On POST, PATCH, DELETE, PUT with the token set (expired)
The client sends a request with the token
- If expired, the server resets the token and returns the new token in the response
- Browser has the token and sends it in future requests
See the relevant code
What needs to be investigated:
- We need to understand how to transparently generate the CSRF token without failing the client (similar to what wtf-forms does). Ideas: pre-flight requests
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue affects mainly the guest access request on a restricted record by not being logged.
Agreed within the team that for the moment the current solution is acceptable as there is not much usage expected on the guest access form, therefore doing the 2 requests is acceptable. However, one potential improvement would be to add the CSRF token in the view as a hidden field to the form, that way we would avoid the double request.
