CSRF token mismatch on Beta 9 upgrade

Scumi

Since the upgrade, I cannot login via curl post request anymore. I always get "{"errors":[{"status":"400","code":"csrf_token_mismatch"}]}". I guess it has something to do with the improved CSRF protection. Is there something new required in the payload?

luceos

Scumi try clearing cache with php flarum cache:clear

Scumi

luceos Done after the upgrade and now again. Issue persists.

clarkwinkelmann

DSitC It looks like your issue is caused in the change in Flarum core to address https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6

Now all API endpoints require the use of the CSRF token, or the use of an API token.

Maybe we should allow the login endpoint without either of those, if so please let us know, we might consider opening an issue to get this corrected in a future Flarum release.

From what kind of setup or app are you hitting the login endpoint ? If you are querying from a local or server-side script and you are the owner of the forum, you can use a master API token to authorize yourself to perform that request. If your script only deals with administrative tasks you might want to use the master token directly for all requests.

Creating a Flarum master token is described here for instance https://discuss.flarum.org/d/1925-flagrow-generic-php-api-client-for-flarum-installations (I couldn't find any official guide from ourselves 🤔 )

If you are not the owner of the forum you want to create a token for, there's no other way than getting a CSRF token, which might be a very tricky situation from command line.

Scumi

Thank you very much for your detailed explanation.

I have a homepage, which has the Flarum forum on a subdomain. When a user logs into the main page, they also get logged in on the forum. Vice versa for logout. If I use the API master token instead of a generated token for the respective user, I can only log in the admin.

private function getToken($username, $password)
{
	$data = [
		'identification' => $username,
		'password' => $password,
		'lifetime' => $this->getLifetimeInSeconds(),
	];
	
	$response = $this->sendRequest('/api/token', $data, null, 'POST');

	return isset($response['token']) ? $response['token'] : '';
}

private function sendRequest($path, $data, $token, $method)
{
	$data_string = json_encode($data);
	$ch = curl_init($this->config['forum_url'] . $path);
	curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
	curl_setopt($ch, CURLOPT_POSTFIELDS, $data_string);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_setopt($ch, CURLOPT_HTTPHEADER, [
			'Content-Type: application/json',
			'Content-Length: ' . strlen($data_string),
			'Authorization: Token ' . $token
		]
	);

	$result = curl_exec($ch);

	return json_decode($result, true);
}

clarkwinkelmann

Scumi what you can do, is use an API KEY (I called it master token above) to perform your initial request to /api/token, then use the token returned by that endpoint to perform subsequent requests as the user.

Something like this:

POST /api/token
Authorization: Token <api key>;userId=1

Then:

POST /api/whatyouwanttodo
Authorization: Token <user access key>

In the process of checking if this works, I actually noticed we might have a problem with the user access token implementation in beta 9, it seems all API requests return a 500 error when using an access token. I'm checking this with the team and will open an issue. (EDIT: opened issue flarum/core1828)

Scumi I can only log in the admin

I have successfully authenticated as a non-admin with the /api/token endpoint by using an API KEY and the ;userId= of an admin in the Authorization header, so it seems to work.

Do you perform any other Flarum API request after requesting a token, or do you just create this token and put it inside of the session or something like that ? If you only use the /api/token endpoint, this should work with an API KEY as described above.

Scumi

I did a few tests, none of them got me logged in:

Tried authenticating the admin and use the token to authenticate the user.
- Result: 500 error for the second request (just as you mentioned)
Tried authenticating the user while providing the API KEY as token (your second proposal)
- worked for the admin
- does not work for any other user (401 error)

I'm clueless why the second one does not work for me but does for you.

Code:

private function getToken($username, $password)
{
	$data = [
		'identification' => $username,
		'password' => $password,
		'lifetime' => $this->getLifetimeInSeconds(),
	];

        $token = $this->config['forum_api_key'] . '; userId=1';

	$response = $this->sendRequest('/api/token', $data, $token, 'POST');

	return isset($response['token']) ? $response['token'] : '';
}

Scumi

Okay, it doesn't work on my dev server, but does on my production server.

Methods that work with API KEY authentication:

login
create a new forum user
update forum user details.

Methods that do not work:

deleting a forum user

clarkwinkelmann

Scumi Methods that do not work:

What happens when you try ? Just a "Not authorized" response or is there an error ?

Also you can't delete yourself, so the userId= of the Authorization header shouldn't be the same as the user you're attempting to delete. This might not be what you're doing but I just want to make sure.

Scumi

There is no error at all currently. I try to troubleshoot tomorrow.

Scumi

Okay, you can mark this as solved. My method transferred an incorrect id of the forum user.

I still have to see why Flarum does not communicate with my main page on the dev server, but that's none of your business. ;-)

Many thanks for your help.

clarkwinkelmann

Scumi great to hear ! I'm adding the solved tag.