wikibase-edit icon indicating copy to clipboard operation
wikibase-edit copied to clipboard
verified publisher icon maxlath

"Invalid CSRF token" even after renewal

Open tuukka opened this issue 6 years ago • 12 comments

I use wikibase-edit with password authentication in a NodeJS service. At first everything works fine, but after the CSRF token expires, edits stop working. In the logs, I can see the token renewal operation but after that, Mediawiki still responds "Invalid CSRF token" even for the new token. A restart of the NodeJS service helps until the token expires again.

I see that the cookies don't change after the token renewal - could that be a bug in wikibase-edit or wikibase-token?

tuukka avatar Sep 13 '19 13:09 tuukka

which version of wikibase-edit are you using? do you know how much time it takes to the token to expire? I can't find it in the documentation

maxlath avatar Sep 14 '19 09:09 maxlath

also, is that part of an intensive edit batch? @jum-s and I have witnessed comparable errors when running a lot of edits

maxlath avatar Sep 22 '19 09:09 maxlath

Sorry, it's complicated. I have been using version 3.0.3.

In my case, all edits start to cause this error after it appears the first time. I have seen it happen in less than 2 hours but I'm not sure how long it can take. However, it seems I have been able to patch around this by not using the login cookies but the cookies from the token renewal request (when they appear - they always don't!)

In your case, do only some of the edits fail? I think there may be race conditions in the code regarding token renewal: If there are multiple requests in progress while the token expires, doesn't that cause multiple competing renewals which are not in sync with the subsequent retries and new requests?

tuukka avatar Sep 22 '19 11:09 tuukka

To continue about the potential race condition: The fix would be to stop all requests and retries after first error, make one token renewal and only then proceed with the requests and retries with the new token.

tuukka avatar Sep 22 '19 11:09 tuukka

(after some more digging, our case was a bit extreme: we were sending 8000+ parallel POST requests, no wonder the server wasn't keeping up ^^')

could you share the code that experiences this error?

maxlath avatar Sep 22 '19 14:09 maxlath

It's a simple NodeJS web service that calls wikibase-edit based on the HTTP requests that it receives. The parameter object specifies the item whose label will be set to the parameter name.

const axios = require('axios');
const wdk = require('wikibase-sdk');

const config = {
  credentials: {
    username: '***',
    password: '***'
  },
  verbose: true,
  wikibaseInstance: 'https://wiki.***.***/w/api.php',
}

const wbEdit = require('wikibase-edit')(config);

const express = require('express');
const bodyParser = require('body-parser');

const app = express();

app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));

app.post('/', async (req, res) => {
    const labelResult = await wbEdit.entity.edit({
      id: req.body.object,
      labels: {
        en: req.body.name,
      },
    });
    console.log(labelResult);
    res.header("Access-Control-Allow-Origin", "*");
    res.send(labelResult);
    return;
});
app.listen(3001, () => console.log('server started on port 3001'));

tuukka avatar Sep 22 '19 15:09 tuukka

I have the same error. How did you solve it @tuukka?

MikaMaracuja avatar Apr 06 '20 15:04 MikaMaracuja

there was quite a lot of changes to the auth code since this issue was open, any chance this issue magically disappeared in the latest version? :D

maxlath avatar May 22 '20 18:05 maxlath

Same error on [email protected]

haansn08 avatar Jul 13 '20 22:07 haansn08

@haansn08 could you the error logs? how long did it work before it stopped working? which Wikibase are you working with?

maxlath avatar Jul 14 '20 07:07 maxlath 

Error: invalid csrf token
    at Object.new (*******/node_modules/wikibase-edit/lib/error.js:3:17)
    at parseTokens (*******/node_modules/wikibase-edit/lib/request/get_final_token.js:42:21)
    at *******/node_modules/wikibase-edit/lib/request/get_final_token.js:31:10
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async module.exports (*******/node_modules/wikibase-edit/lib/claim/move.js:70:17)
    at async *******/move.js:43:9
[context] {"loginCookies":"ss0-wikidatawikiSession=vpck*********; wikidatawikiSession=vpck*********; wikidatawikiUserID=28*****; wikidatawikiUserName=Haansn08; centralauth_Token=ac43*******; centralauth_Session=b6a7*******","body":{"batchcomplete":"","query":{"tokens":{"csrftoken":"+\\"}}}} {
  statusCode: 400,
  context: {
    loginCookies: 'ss0-wikidatawikiSession=vpck*********; wikidatawikiSession=vpck*********; wikidatawikiUserID=28*****; wikidatawikiUserName=Haansn08; centralauth_Token=ac43*******; centralauth_Session=b6a7*******',
    body: { batchcomplete: '', query: [Object] }
  }
}

It still worked on 2020-07-12. I'm using the instance https://www.wikidata.org.

haansn08 avatar Jul 14 '20 08:07 haansn08

This patch 6abb7d1 might fix the problem (published in v4.5.2). Alternatively, I would recommend that you use Owner-only OAuth tokens, which should not have this issue

maxlath avatar Jul 14 '20 11:07 maxlath