CSRF Token error when added on a layout page

guptast · May 25, 2024, 4:03am

Wappler Version : 6.6.0
Operating System : MacOS
Server Model: NodeJS
Database Type: MySQL
Hosting Type: Docker

Expected behavior

What do you think should happen?

The pages should load normally after the CSRF has been enabled in the global project settings and the meta tag for CSRF token has been added on the layout page.

Actual behavior

What actually happens?

The pages do not load, and error 500 is generated as below. If I remove the CSRF meta tag on the layout page, the website loads correctly. The meta tag has been added after the dmx scripts.

George · May 25, 2024, 7:42am

Have you enabled CSRF in the server. Connect options for this target?

guptast · May 25, 2024, 7:50am

Hi George,

Yes, I have enabled the CSRF server connection option. Are there other settings that need to be enabled as well?

George · May 25, 2024, 8:15am

That is it, but make sure those config options are published as well to the remote target.

guptast · May 25, 2024, 8:33am

The project is currently deployed locally in a docker container. Does it work only in a remote target?

Hyperbytes · May 25, 2024, 1:12pm

Same issue, but using wappler own server, same question

Cheese · May 25, 2024, 1:25pm

Did you bind the CSRF meta tag to the Function CSRF Token? Otherwise it will not be available within the page.

Hyperbytes · May 25, 2024, 3:51pm

Yes

guptast · May 26, 2024, 4:19am

Yes, I added the CSRF meta tag on the layout page.

guptast · May 27, 2024, 12:43am

The CSRF token is working in the project. The project assets were not updated after installing the Wappler v6.6.0.

When I restarted Wappler after installing the latest v6.6.0, I saw that the file lib\modules\csrf.js had been automatically added to the project files. So, I believed that this was the only update released. Today I checked the project asset updater and saw there were a few other file updates waiting for me to apply.

The confusion is stemming from the addition of lib\modules\csrf.js to every project reopened after updating to v6.6.0 even when the project asset updates are not being applied.

George · May 28, 2024, 7:40am

yes this file is now added to to core of server connect, so it will be added to all projects no matter if you have enabled CSRF or not. It is just not used when CSRF is not enabled.