Displaying an error message when CSRF token is invalid

ben · October 24, 2025, 4:13am

Please have a look at How to display error message to users when CSRF token is invalid - Wappler General / Need Help - Wappler Community where the solution seems to be an inline flow as in

dmx-on:forbidden="run({condition:{outputType:'boolean',if:`lastError.response.contains(\'CSRF\', false)`,then:{steps:[{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.show()`}},{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.setType(\'danger\')`}},{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.setTextContent(\'The CSRF token has expired. Please refresh the browser.\')`}}]},else:{steps:[{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.show()`}},{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.setType(\'danger\')`}},{run:{outputType:'text',action:`scf_user_login_auth_sms.alert1.setTextContent(lastError.response)`}}]}}})"

Could this be turned into a better way?

Apple · October 24, 2025, 4:26am

Are you proposing the creation of a new Dynamic Event "On CSRF error"?

ben · October 24, 2025, 9:45am

I'll leave it to the experts to come up with something that will improve the workflow, but yes, the Dynamic Event method could be a consideration.

But it would not surprise me if an error message was created automatically each time the CSRF token is set for the project. That is how I would view it.

patrick · October 24, 2025, 10:37am

I think the current forbidden event is fine since it means you do a request with incorrect credentials. This can happen due to incorrect user permissions, expired user session or invalid/expired CSRF token.

For the message that should be shown is something that depends on your website/application. You could show an alert with different message depending on the response from the server or you could logout and redirect the user back to the login since it tries to request something where it does not have access to. It all depends on the use-case.

ben · October 24, 2025, 10:51am

Hi @patrick I am coming round to agreeing with you. I have spent a bit of time on the subject trying different methods. I do think that, in most cases, the only forbidden action will be caused by an expiring CSRF token. When the circumstance calls for it, implementing @Apple's solution using an inline flow should do the trick.

As far as I am concerned, this FR can be ignored/deleted.

Having said that, I think that developers do need to be warned about including the error message when a CSRF token is used.