-
|
Hey, I've been trying to implement the self service stuff in a next js app, but it's giving the anti csrf token error - Here is the repro - https://github.com/Unbuttun/kratos-next Can someone guide me a bit on where the things are going wrong? Error happens when this line runs. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
|
Can you check out the Chrome Developer Tools (or any comparable technology) Cookies tabs in the Application tab, as well as the network tab - look for I think you also have to implement this in your kratos.ts, have a look at this implementation https://github.com/Raghav-Modani/AnC-Accounts/blob/raghav/services/kratos.ts I didn't test it out, but will have a go at it over the weekend! |
Beta Was this translation helpful? Give feedback.
-
|
hey @vinckr the repo you mentioned is not there, is the link wrong? |
Beta Was this translation helpful? Give feedback.
-
|
Oh, it must have been deleted? I would swear it was there when I posted this. |
Beta Was this translation helpful? Give feedback.
-
|
I found more info on why it might be happening.
In here you can see that the cookie and flowId that are being logged in serverSide and client side are same.
The cookie that is being send in this request is also same as the one's above. But in this request, the csrf token has changed for some reason.
This is the response object - {
"error": {
"code": 403,
"status": "Forbidden",
"reason": "The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues.",
"details": {
"docs": "https://www.ory.sh/kratos/docs/debug/csrf",
"hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
"reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
},
"message": "the request was rejected to protect you from Cross-Site-Request-Forgery"
}
}Also the cookie that can be accessed from the storage is same as the one i logged above, but not the one that is getting recieved /send in the last picture |
Beta Was this translation helpful? Give feedback.
-
|
Taking hints from the self-service-node's official example, I moved the kratos initialization part inside the export async function getServerSideProps(context: NextPageContext) {
const allCookies = context.req.headers.cookie;
const flowId = context.query.flow;
if (!flowId) {
return {
redirect: {
destination: `${API_URL}/self-service/login/browser`,
},
};
}
let flowData: SelfServiceLoginFlow | void;
if (allCookies && flowId) {
const data = await kratos
.getSelfServiceLoginFlow(flowId.toString(), allCookies)
.then(({ data: flow }) => {
return flow;
})
.catch((err) => {
console.log("err", err);
});
flowData = data;
}
return {
props: {
flowData: flowData ? flowData : null,
},
};
} |
Beta Was this translation helpful? Give feedback.
-
|
Awesome that you got it working 🎉 |
Beta Was this translation helpful? Give feedback.
Taking hints from the self-service-node's official example, I moved the kratos initialization part inside the
getServerSideProps, and now it's working and giving results with No csrf errors anymore.