Skip to content

Invalid CSRF on dev install

Moved Solved Tips
  • I wanted to create a DEV instance of sudonix, so went ahead and registered sudonix.dev, installed NodeBB, then recovered the database.

    All good - apart from the fact that I consistently got the dreaded csrf invalid message… 😠

    Here’s the log extract

    2022-03-21T14:15:25.859Z [4571/91294] - info: Initializing NodeBB v1.19.5 https://sudonix.dev
    2022-03-21T14:15:27.761Z [4571/91294] - info: [socket.io] Restricting access to origin: https://sudonix.dev:*
    2022-03-21T14:15:27.858Z [4571/91294] - warn: [plugins] "@nodebb/nodebb-plugin-user-level" is active but not installed.
    (node:91294) Warning: Accessing non-existent property 'padLevels' of module exports inside circular dependency
    (Use `node --trace-warnings ...` to show where the warning was created)
    2022-03-21T14:15:28.637Z [4571/91294] - warn: [plugins/load] DEPRECATION The hook filter:router.page has been deprecated as of v1.15.3, and slated for removal in v2.1.0. Please use response:router.page instead. The following plugins are still listening for this hook:
      * nodebb-plugin-write-api
    2022-03-21T14:15:28.724Z [4571/91294] - info: [plugins/spam-be-gone] Settings loaded
    2022-03-21T14:15:28.734Z [4571/91294] - info: [reputation-rules] settings loaded
    2022-03-21T14:15:28.925Z [4571/91294] - info: [api] Adding 4 route(s) to `api/v3/plugins`
    2022-03-21T14:15:28.936Z [4571/91294] - info: [router] Routes added
    2022-03-21T14:15:28.947Z [4571/91294] - info: NodeBB Ready
    2022-03-21T14:15:28.948Z [4571/91294] - info: Enabling 'trust proxy'
    2022-03-21T14:15:28.950Z [4571/91294] - info: NodeBB is now listening on: 0.0.0.0:4571
    2022-03-21T14:15:47.488Z [4571/91294] - error: [plugin/iframely] Could not parse embed: Failed to lookup view "partials/iframely-widget-card" in views directory "/home/sudonix.dev/nodebb/build/public/templates". Url: https://sudonix.com/topic/233/nodebb-welcome-message-with-logo-footer-change/3?_=1645445273209
    Missing translation "2factor:title" for language "en-GB"
    Missing translation "qanda:topic_solved" for language "en-GB"
    Missing translation "qanda:topic_solved" for language "en-GB"
    Missing translation "qanda:topic_solved" for language "en-GB"
    Missing translation "qanda:topic_solved" for language "en-GB"
    Missing translation "qanda:topic_unsolved" for language "en-GB"
    Missing translation "qanda:topic_solved" for language "en-GB"
    Missing translation "qanda:topic_solved" for language "en-GB"
    Missing translation "qanda:topic_solved" for language "en-GB"
    Missing translation "qanda:topic_solved" for language "en-GB"
    Missing translation "qanda:topic_solved" for language "en-GB"
    Missing translation "qanda:topic_solved" for language "en-GB"
    Missing translation "qanda:menu.solved" for language "en-GB"
    Missing translation "qanda:menu.solved" for language "en-GB"
    2022-03-21T14:15:48.899Z [4571/91294] - error: POST /logout
    invalid csrf token
    

    Tried clearing cache, no dice. Tried incognito mode, no dice.

    After some significant head scratching, it suddenly dawned on me that the cookie domain would need to be reset as this is a PROD database replica in a new domain.

    To do this.

    1. Open the mondogb console
    2. Select your database - in my case use sudonixdev;
    3. Issue this command db.objects.update({_key: "config"}, {$set: {cookieDomain: ""}});
    4. Restart nodebb

    Problem solved - able to login πŸ™‚

  • phenomlabundefined phenomlab has marked this topic as solved on
  • phenomlabundefined phenomlab moved this topic from Configure on
  • phenomlabundefined phenomlab referenced this topic on
  • This post helped me in August.

    Now that I have migrated the server, this topic appears again, and the command no longer works.

    Do you know what causes this problem? How to avoid it?

  • @ε°εŸŽι£Žι›¨ε€š The command should still work. What is the output?

  • @phenomlab

    Environment

    mongoDB version: 6.0.11
    nodebb version: 3.4.3

    Description

    renew install nodebb application and whole server machine, use mongodump backup and restored mongoDB data.
    Then I got this.

    Detail

    server nodebb log when I tried to login and register

    2023-11-03T08:55:23.895Z [4567/5442] - error: POST /login
    invalid csrf token
    2023-11-03T08:55:44.204Z [4567/5442] - error: POST /register
    invalid csrf token
    

    executed mongo command then print

    nodebb> db.objects.update({_key: "config"}, {$set: {cookieDomain: ""}});
    DeprecationWarning: Collection.update() is deprecated. Use updateOne, updateMany, or bulkWrite.
    {
      acknowledged: true,
      insertedId: null,
      matchedCount: 1,
      modifiedCount: 0,
      upsertedCount: 0
    }
    
    nodebb> db.objects.updateOne({ _key: "config" }, { $set: { cookieDomain: "" } })
    {
      acknowledged: true,
      insertedId: null,
      matchedCount: 1,
      modifiedCount: 0,
      upsertedCount: 0
    }
    

    match 1 result, but modifed 0.

    PS

    I’m sorry I didn’t post the detailed information before, and I’m very grateful for your timely reply to my message.
    Now I have bound the email address for my account, and the follow-up news should be notified in time.

  • @ε°εŸŽι£Žι›¨ε€š

    Occasionally I tried to change the url in config.json from https to http.
    It works!

    Amazing!

    Thanks a lot!

  • @ε°εŸŽι£Žι›¨ε€š Looking at the above, it seems you are missing the command to use nodebb for example. Otherwise, you are running the command against the admin database πŸ™‚ Made that mistake myself before…


Did this solution help you?
Did you find the suggested solution useful? Why not buy me a coffee? It's a nice gesture, and a great way to show your appreciation πŸ’—

  • 0 Votes
    4 Posts
    168 Views

    @DownPW it’s in relation to the response I provided above

  • 13 Votes
    30 Posts
    1k Views

    Here’s a small modification to the chatBanner function that will place the message just above the composer/reply component meaning it is pinned at the bottom and always in view as a reminder. I’ve made this change to support the threadedChat I’m currently developing

    // Chat message banner function chatBanner() { var roomName = $("h5[component='chat/header/title']").text().trim(); var bannerContent; if (roomName === "Testing 3") { bannerContent = '<div id="chatbanner">This message will fire for chat rooms with the title of "Testing 3"</div>'; } else { bannerContent = '<div id="chatbanner">This session is for <strong>private discussion only</strong> between the chosen participants. Please do <strong>not</strong> place support requests here and create a <a href="#" onclick="app.newTopic();">new topic</a> instead.</div>'; } var chatMessagesContainer = $('[component="chat/system-message"]:last-of-type'); //var existingMessages = $('[component="chat/message"]'); var existingMessages = $('[component="chat/composer"]'); if (existingMessages.length === 0) { // If there are no messages, append the banner to the messages container chatMessagesContainer.first().after(bannerContent); } else { // If there are messages, add the banner after the last message // existingMessages.last().after(bannerContent); existingMessages.before(bannerContent); } }

    There are only two changes here:

    var existingMessages = $('[component="chat/message"]');

    becomes

    var existingMessages = $('[component="chat/composer"]');

    and

    existingMessages.last().after(bannerContent);

    becomes

    existingMessages.before(bannerContent);
  • 1 Votes
    1 Posts
    119 Views
    No one has replied
  • 3 Votes
    6 Posts
    236 Views

    Seems like Google is finally crawling this site. And, β€œcrawling” in the sense that it’s still extremely slow …

  • 3 Votes
    5 Posts
    189 Views

    @DownPW Same here.

  • 2 Votes
    3 Posts
    165 Views

    @DownPW odd indeed. Looks like it’s spawning, immediately dying, then spawning again.

  • 4 Votes
    2 Posts
    214 Views

    @phenomlab this is useful πŸ‘ thanks

  • 6 Votes
    7 Posts
    379 Views

    @crazycells yes, this is something I see on a daily basis and despite how shockingly simple it is to conduct SIM jacking, it seems that several of the USA based banks are reluctant to switch to at least TOTP in the same sense as the USA has been extremely slow to adopt chip and pin - something Europe has been making use of for years.

    And they wonder why cheque and wire fraud is rife in America.