kratos
kratos copied to clipboard
ory
A request failed due to a missing or invalid csrf_token value
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
CORS / CSFR issue when using hydra to create a client on the command line.
Reproducing the bug
config
dsn: memory
serve:
public:
base_url: http://127.0.0.1:6409/
cors:
enabled: false
allowed_origins:
- http://127.0.0.1
- http://localhost
- http://*.localhost
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Cookie
- Content-Type
exposed_headers:
- Content-Type
- Set-Cookie
admin:
base_url: http://127.0.0.1:4468/
selfservice:
default_browser_return_url: http://127.0.0.1:4455/
allowed_return_urls:
- http://127.0.0.1:4455
methods:
password:
enabled: true
flows:
error:
ui_url: http://127.0.0.1:4455/error
settings:
ui_url: http://127.0.0.1:4455/settings
privileged_session_max_age: 15m
recovery:
enabled: true
ui_url: http://127.0.0.1:4455/recovery
verification:
enabled: true
ui_url: http://127.0.0.1:4455/verify
after:
default_browser_return_url: http://127.0.0.1:4455/
logout:
after:
default_browser_return_url: http://127.0.0.1:4455/auth/login
login:
ui_url: http://127.0.0.1:4455/auth/login
lifespan: 10m
registration:
lifespan: 10m
ui_url: http://127.0.0.1:4455/auth/registration
after:
password:
hooks:
- hook: session
log:
level: debug
format: text
leak_sensitive_values: true
secrets:
cookie:
- 'zDfc1Po0tJVXU6NkT+8/kH7O9Gk7bA=='
hashers:
argon2:
parallelism: 1
memory: 128MB
iterations: 2
salt_length: 16
key_length: 16
identity:
schemas:
- id: default
url: file:///tmp/kratos-17e31a864b.yaml.schema.json
courier:
smtp:
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true&legacy_ssl=true
user schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"username": {
"title": "Username",
"type": "string",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
}
}
},
"name": {
"type": "object",
"properties": {
"first": {
"title": "First name",
"type": "string"
},
"last": {
"title": "Last name",
"type": "string"
}
}
}
}
}
}
}
Relevant log output
INFO[2024-08-17T17:10:41-04:00] started handling request http_request=map[headers:map[accept:application/json accept-encoding:gzip content-length:695 content-type:application/json user-agent
:OpenAPI-Generator/1.0.0/go] host:localhost:4433 method:POST path:/admin/clients query:<nil> remote:127.0.0.1:28411 scheme:http]
WARN[2024-08-17T17:10:41-04:00] A request failed due to a missing or invalid csrf_token value audience=application error=map[debug: details:map[docs:https://www.ory.sh/kratos/docs/debug/csrf hint:The anti-CSRF co
okie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token). reject_reason:The HTTP Cookie Header was set and a CSRF token was sent but they do no
t match. We recommend deleting all cookies for this domain and retrying the flow.] message:the request was rejected to protect you from Cross-Site-Request-Forgery reason:Please retry the flow and optionally clear
your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues. stack_trace:
github.com/ory/kratos/x.CSRFErrorReason
/custom-packages/yonasBSD/kratos/work/kratos-9710549/x/nosurf.go:182
github.com/ory/kratos/x.NewCSRFHandler.CSRFFailureHandler.func3
/custom-packages/yonasBSD/kratos/work/kratos-9710549/x/nosurf.go:209
net/http.HandlerFunc.ServeHTTP
/usr/local/go121/src/net/http/server.go:2136
github.com/ory/nosurf.(*CSRFHandler).handleFailure
/home/yonas/go/pkg/mod/github.com/ory/[email protected]/handler.go:240
github.com/ory/nosurf.(*CSRFHandler).ServeHTTP
/home/yonas/go/pkg/mod/github.com/ory/[email protected]/handler.go:222
github.com/urfave/negroni.(*Negroni).UseHandler.Wrap.func1
/home/yonas/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46
github.com/urfave/negroni.HandlerFunc.ServeHTTP
/home/yonas/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
/home/yonas/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/kratos/x.glob..func1
/custom-packages/yonasBSD/kratos/work/kratos-9710549/x/clean_url.go:15
github.com/urfave/negroni.HandlerFunc.ServeHTTP
/home/yonas/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
/home/yonas/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
github.com/ory/kratos/cmd/daemon.servePublic.func1
/custom-packages/yonasBSD/kratos/work/kratos-9710549/cmd/daemon/serve.go:111
github.com/urfave/negroni.HandlerFunc.ServeHTTP
/home/yonas/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29
github.com/urfave/negroni.middleware.ServeHTTP
/home/yonas/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38
net/http.HandlerFunc.ServeHTTP
/usr/local/go121/src/net/http/server.go:2136
Relevant configuration
No response
Version
ory/kratos@68693a4
ory/hydra@c341d0e
On which operating system are you observing this issue?
FreeBSD
In which environment are you deploying?
Binary
Additional Context
No response
Looks like you're making requests against kratos public endpoint with something that's intended for Hydra. Closing as config error.
