Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve invalid CSRF token logging + add explicit dependency #1130

Merged
merged 7 commits into from
Sep 16, 2024
Merged

Improve invalid CSRF token logging + add explicit dependency #1130

merged 7 commits into from
Sep 16, 2024

Conversation

melroy89
Copy link
Member

@melroy89 melroy89 commented Sep 13, 2024
edited
Loading

Small improvements:

  • Add $id to invalid CSRF error message. So we know which ID is causing the issue.
  • Add missing symfony/security-csrf explict dependency

@melroy89 melroy89 added this to the v1.7.2 milestone Sep 13, 2024
@melroy89 melroy89 added the bug Something isn't working label Sep 13, 2024
@melroy89
Copy link
Member Author

ow.. I got finally something in my log (after a long time of waiting):

{"message":"Uncaught PHP Exception Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException: \"Invalid CSRF token, with ID: favourite. Is token a string?: 1\" at AbstractController.php line 40","context":{"exception":{"class":"Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException","message":"Invalid CSRF token, with ID: favourite. Is token a string?: 1","code":0,"file":"/var/www/kbin.melroy.org/html/src/Controller/AbstractController.php:40"}},"level":400,"level_name":"ERROR","channel":"request","datetime":"2024-09-14T15:10:01.670332+02:00","extra":{}}
{"message":"Uncaught PHP Exception Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException: \"Invalid CSRF token, with ID: favourite. Is token a string?: 1\" at AbstractController.php line 40","context":{"exception":{"class":"Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException","message":"Invalid CSRF token, with ID: favourite. Is token a string?: 1","code":0,"file":"/var/www/kbin.melroy.org/html/src/Controller/AbstractController.php:40"}},"level":400,"level_name":"ERROR","channel":"request","datetime":"2024-09-14T15:10:02.069033+02:00","extra":{}}

@melroy89 melroy89 added the help wanted Extra attention is needed label Sep 14, 2024
@BentiGorlich
Copy link
Member

BentiGorlich commented Sep 14, 2024 via email

@melroy89
Copy link
Member Author

melroy89 commented Sep 14, 2024
edited
Loading

Could it be a problem the antispam bundle as well?

Nah, our anti-spam bundle is only implemented on two forms: Registration form & contact form... Also I would expect to see another error message in that case. What you see above is an invalid CSRF.. Most likely due to caching.. or <unknown>.

@osaerisxero
Copy link

This happens to me fairly regularly, but i believe only on mobile, which I use via webclip on Android with Firefox as the browser. Are you wanting the uri of the error page when it occurs?

@melroy89
Copy link
Member Author

This happens to me fairly regularly, but i believe only on mobile, which I use via webclip on Android with Firefox as the browser. Are you wanting the uri of the error page when it occurs?

Thanks for responding!

@osaerisxero Sorry, webclip? webclip is apple I think. But maybe you mean Progressive Web App (PWA) installed on the home screen of your Android device using Firefox?

Any info would help, like:

  • What is the instance you are using? kbin.melroy.org or something else?
  • What android version?
  • Firefox or a special fork of Firefox?
  • Do you mean you installed it as a PWA application on your android home screen?
  • What is the full URL when this happens?
  • Do you get an error page or are you logged-out?
  • What action did you perform before this happened? Like voting, boost or anything else?..
  • Anything else I couldn't think of right now.. If you can share more info the better (the only thing I don't need to know is your pincode 😆 )

@osaerisxero
Copy link

Ha, yes, I mean PWA.

Firefox version 130.0 (Build #2016041319), hg-b73ccdf1f861+

KES extension version 4.2.1

@osaerisxero@kbin.melroy.org

The URL does match the choice=1 format when it happens iirc, but I will need to look up how to make the pwa session expose the url bar and/or dev tools so i can provide a full one or a peek at the browser console. I should have some free time this evening to tinker with it.

@osaerisxero
Copy link

Amusingly it happened 2 upvotes after I sent the prior message. I'm going to switch to being in the full browser for the rest of the afternoon to see if I can get the error to pop there.

@melroy89
Copy link
Member Author

melroy89 commented Sep 14, 2024
edited
Loading

Amusingly it happened 2 upvotes after I sent the prior message. I'm going to switch to being in the full browser for the rest of the afternoon to see if I can get the error to pop there.

I was following the logs live at the moment. So I got the exact errors you experienced I believe. These seems to be coming from "favourite" which is indeed when you upvote a comment in a thread for example:

{"message":"Uncaught PHP Exception Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException: \"Invalid CSRF token, with ID: favourite. Is token a string?: 1\" at AbstractController.php line 40","context":{"exception":{"class":"Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException","message":"Invalid CSRF token, with ID: favourite. Is token a string?: 1","code":0,"file":"/var/www/kbin.melroy.org/html/src/Controller/AbstractController.php:40"}},"level":400,"level_name":"ERROR","channel":"request","datetime":"2024-09-14T20:09:02.740028+02:00","extra":{}}
{"message":"Uncaught PHP Exception Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException: \"Invalid CSRF token, with ID: favourite. Is token a string?: 1\" at AbstractController.php line 40","context":{"exception":{"class":"Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException","message":"Invalid CSRF token, with ID: favourite. Is token a string?: 1","code":0,"file":"/var/www/kbin.melroy.org/html/src/Controller/AbstractController.php:40"}},"level":400,"level_name":"ERROR","channel":"request","datetime":"2024-09-14T20:09:03.128857+02:00","extra":{}}

We just don't know yet why the CSRF tokens become invalid.. The only thing we expect what is happening, is due to some Symfony cache.

@osaerisxero
Copy link

It does proc on standard-browser-mode firefox. I should have hooked it up to a desktop browser for debugging before that, but I've got it hooked up now. We'll see what we can see if I can get it to proc again before I have to stop working on this for a while :)

@melroy89
Clean-up error a bit
3c4bf84 
Seems that the token itself is filled-in at all times. But the validation is 'just' failing.
@melroy89 melroy89 changed the title Debugging invalid CSRF token Improve invalid CSRF token logging Sep 16, 2024
@melroy89 melroy89 changed the title Improve invalid CSRF token logging Improve invalid CSRF token logging + add explicit dependency Sep 16, 2024
@melroy89 melroy89 marked this pull request as ready for review September 16, 2024 09:50
@melroy89 melroy89 merged commit 5aec5d8 into main Sep 16, 2024
7 checks passed
@melroy89 melroy89 deleted the invalid_csrf_token branch September 16, 2024 09:53
@melroy89
Copy link
Member Author

melroy89 commented Sep 16, 2024
edited
Loading

Latest info of Jerry, the CSRF IDs that he is seeing in the error logs are:

  • vote (down vote)
  • favourite (up vote)
  • boost
  • subscribe

This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BentiGorlich BentiGorlich BentiGorlich approved these changes

Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
v1.7.2
Development

Successfully merging this pull request may close these issues.
3 participants
@melroy89 @BentiGorlich @osaerisxero