How can I use ring anti-forgery / CSRF token with latest version ring/compojure?

About

Asked 11/5, 2015 at 16:10 Answered 11/5, 2015 at 20:37

Solved clojure ring compojure csrf-protection

I copied some old code that was working in compojure 1.1.18 and other old libs, but using the latest versions I can't get it to work.

Here's my minimal example code copied from the minimal example here to demonstrate that with latest ring and compojure libraries, I get an error when I send an http POST, even with the header set.

lein ring server to start it, then do

curl -X GET --cookie-jar cookies "http://localhost:3000/" which results in something like this:

{"csrf-token":"7JnNbzx8BNG/kAeH4bz1jDdGc7zPC4TddDyiyPGX3jmpVilhyXJ7AOjfJgeQllGthFeVS/rgG4GpkUaF"}

But when I do this

curl -X POST -v --cookie cookies -F "[email protected]" --header "X-CSRF-Token: 7JnNbzx8BNG/kAeH4bz1jDdGc7zPC4TddDyiyPGX3jmpVilhyXJ7AOjfJgeQllGthFeVS/rgG4GpkUaF" http://localhost:3000/send

I get <h1>Invalid anti-forgery token</h1>

Am I doing something wrong?

The code I borrowed was intended to answer this question.

Grizzle answered 11/5, 2015 at 16:10 Comment(2)

shot in the dark but does escaping the forward slashes (in the token) using backslashes make any difference? – Flank 11/5, 2015 at 17:25

Thanks! James Reeves / weavejester, the author of compojure and maintainer of ring anti-forgery told me that the new wrap-defaults and site-defaults in the ring-defaults package that replaces the deprecated compojure handler namespace automatically require CSRF tokens for HTTP POST et al. So my code generates the token twice and I verify against the wrong one. I'm working on a fix... – Grizzle 11/5, 2015 at 19:53

The problem was that ring-defaults (which replaces the compojure.handler namespace in compojure >= 1.2) automatically uses ring anti-forgery in the usual mode of use:

(defroutes app-routes
  (GET "/" [] (generate-string {:csrf-token
                                *anti-forgery-token*}))
  (POST "/send" [email] "ok")
  (resources "/")
  (not-found "Not Found"))

(def app
  (-> app-routes
   (wrap-defaults site-defaults)))

So two anti-forgery tokens were being generated and the GET request provided the invalid one. Removing the wrap-anti-forgery line fixed the problem.

Grizzle answered 11/5, 2015 at 20:37 Comment(1)

You can mark your own question as answered if you're happy with the result. – Homs 18/5, 2015 at 10:14

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags