Kratos sends different CSRF tokens in Cookie header and Body for Registration

[CanLikeTo]

Hi, I'm busy implementing registration in my app (SPA browser app) and I'm having some trouble when submitting the form. I keep on getting a 403 response. I found the following in the logs:

An error occurred while handling a request func=github.com/ory/herodot.DefaultErrorReporter.func1 file=/go/pkg/mod/github.com/ory/[email protected]/error_reporter.go:24 audience=application error=map[debug: details:map[docs:https://www.ory.sh/kratos/docs/debug/csrf hint:The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token). reject_reason:The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow.] message:the request was rejected to protect you from Cross-Site-Request-Forgery reason:The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues. status:Forbidden status_code:403

After some investigation I found that the value of the CSRF token in the cookie doesn't match the value in the hidden field. So I manually requested the registration flow from Kratos in the terminal and saw this:

$ curl -v -s -X GET \
>     -H "Accept: application/json"  \
>     http://localhost:4433/self-service/registration/browser | jq .
*   Trying ::1:4433...
* TCP_NODELAY set
* Connected to localhost (::1) port 4433 (#0)
> GET /self-service/registration/browser HTTP/1.1
> Host: localhost:4433
> User-Agent: curl/7.68.0
> Accept: application/json
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Cache-Control: private, no-cache, no-store, must-revalidate
< Content-Type: application/json; charset=utf-8
< Set-Cookie: aHR0cHM6Ly9jYW5saWtldG8tZWF0ZXJhdG9yLXI0Z2dyNjVyM3g5NDktNDQzMy5naXRodWJwcmV2aWV3LmRldi8_csrf_token=Ymb72X47oQkU0kl1KMhpGqZCXX2rrx2otp1CcZeRBx8=; Path=/; Max-Age=31536000; HttpOnly; SameSite=Lax
< Vary: Cookie
< Date: Thu, 22 Jul 2021 09:35:14 GMT
< Content-Length: 1233
< 
{ [1233 bytes data]
* Connection #0 to host localhost left intact
{
  "id": "6ecf7aa9-ce2a-41bd-9a0f-d3ef3698353e",
  "type": "browser",
  "expires_at": "2021-07-22T10:35:14.716704147Z",
  "issued_at": "2021-07-22T09:35:14.716704147Z",
  "request_url": "http://localhost:4433/self-service/registration/browser",
  "ui": {
    "action": "https://.../self-service/registration?flow=6ecf7aa9-ce2a-41bd-9a0f-d3ef3698353e",
    "method": "POST",
    "nodes": [
      {
        "type": "input",
        "group": "default",
        "attributes": {
          "name": "csrf_token",
          "type": "hidden",
          "value": "zICxJwuMzppZRE1COhpU5QBscrK8XOlPNvO5h3yeoDyu5kr+dbdvk02WBDcS0j3/pi4vzxfz9OeAbvv26w+nIw==",
          "required": true,
          "disabled": false
        },
        "messages": [],
        "meta": {}
      },
      ...
    ]
  }
}

The value in the cookie doesn't match the value in the input node. I've tried to eliminate any mistakes on my side, but I'm not sure what else can be wrong.

I'm using the kratos:v0.7.0-alpha.1-sqlite image.

[aeneasr]

The value in the cookie is an encrypted base truth, the csrf token itself is derived from it - so they never match! Make sure that the CSRF token is not overwritten - we had a bug where there was a race condition between calling the browser init endpoint and the session whoami, which caused the cookie to be overwritten.

[aeneasr]

#1580

[CanLikeTo]

Thanks, I've found the issue. I was POST'ing to the wrong endpoint /self-service/registration/browser instead of self-service/registration 🤦