You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Calling an endpoint protected with csrf.Protect results in a 403 status and empty response when no header is set - I expect this. However, the client needs a CSRF token to retry with, and none is provided.
I attempted to manually set the CSRF token for errored requests by providing an error handler to the middleware factory:
However, the reason error here is not ErrNoToken, but rather an error with the message "securecookie: hash key is not set". This appears to be an error message from a different Gorilla library.
If I omit the reason check and simply include the CSRF token in all error responses, I get a response with the header X-Csrf-Token set to an empty string - it appears the middleware isn't generating a token for any request coming into the server.
It's possible I'm using the library wrong, but I can't understand how a client is meant to get the initial CSRF token. I assume the server will error with 403 and include the token, and the client should retry. The only other options I can think of are to include the token in the login response (which by definition can't be protected by CSRF and is currently excluded from the middleware, so no token is generated), or to set up a separate unauthenticated endpoint where clients can POST just to get their initial CSRF token, but I don't see that approach mentioned anywhere in the docs.
Expected Behavior
I expect the csrf.Protect middleware to generate a CSRF token for errored requests, so that I can retrieve it with csrf.Token(request) and set the appropriate response header, allowing clients to retry with a token.
Steps To Reproduce
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered:
Is there an existing issue for this?
Current Behavior
Calling an endpoint protected with
csrf.Protect
results in a 403 status and empty response when no header is set - I expect this. However, the client needs a CSRF token to retry with, and none is provided.I attempted to manually set the CSRF token for errored requests by providing an error handler to the middleware factory:
However, the reason error here is not
ErrNoToken
, but rather an error with the message "securecookie: hash key is not set". This appears to be an error message from a different Gorilla library.If I omit the reason check and simply include the CSRF token in all error responses, I get a response with the header
X-Csrf-Token
set to an empty string - it appears the middleware isn't generating a token for any request coming into the server.It's possible I'm using the library wrong, but I can't understand how a client is meant to get the initial CSRF token. I assume the server will error with 403 and include the token, and the client should retry. The only other options I can think of are to include the token in the login response (which by definition can't be protected by CSRF and is currently excluded from the middleware, so no token is generated), or to set up a separate unauthenticated endpoint where clients can POST just to get their initial CSRF token, but I don't see that approach mentioned anywhere in the docs.
Expected Behavior
I expect the
csrf.Protect
middleware to generate a CSRF token for errored requests, so that I can retrieve it withcsrf.Token(request)
and set the appropriate response header, allowing clients to retry with a token.Steps To Reproduce
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: