https://www.ory.sh/ logo
Join Slack
Powered by
We are getting the following error when sending a ...
# ory-network
a
We are getting the following error when sending a registration request from our iOS/Android App (react-native) 
The HTTP Request Header included the "Cookie" key, indicating that this request was made by a Browser. The flow however was initiated as an API request. To prevent potential misuse and mitigate several attack vectors including CSRF, the request has been blocked. Please consult the documentation.
This is new and we are unaware, that we changed anything. Is this a new security measure in Ory?
b
This is not new, but yes, it’s a security measure. Could you double check that you‘re not using a cookie http client somewhere?
a
We didn’t change our software at all and it worked three days ago. 🤔 We use the Kratos SDK in a react-native app. We initialize FrontendApi and pass a Configuration with baseOptions: {withCredentials: true }. But as I said, we have been doing that for over a year now. When I change that to withCredentials: false, the problem seams to dissapear.
b
Huh, okay, that is weird. We’ll investigate. Thanks for the report.
s
btw, in the end we found out that it was a change in our cloudflare configuration
it was rolled back until we have a fix in place
m
Hello @ancient-judge-84558 I invited you to the production support channel. Please use this channel going forward to get support for your Ory Network project. Please also let me know if there is someone from your team not invited to that channel.
c
Hi guys! I found this thread and we started getting this issue on our side without any change in our code. Could it be linked to a cloudflare configuration change?
s
I don't think so, the issue previously was that we did not ignore all cloudflare cookies, but we do ignore all cookies: https://github.com/ory/kratos/pull/3499/files
Copy code
curl -v <https://playground.projects.oryapis.com/self-service/login>
...
< set-cookie: __cf_bm=3ZH8roaDORRxGcS9rIi5jRwhd2cIV_UF_4My7iBc0pQ-1701789582-0-ActrA/dyx7eGxZh5NrQ0p9gLHc9IXLT9PzKaKW53AmRR9gsJ6zg69t63jOXYjf9Qu4EymJCD1ErGYVrnPbWXtfo=; path=/; expires=Tue, 05-Dec-23 15:49:42 GMT; domain=.<http://oryapis.com|oryapis.com>; HttpOnly; Secure; SameSite=None
< set-cookie: __cflb=04dTob4edYf9Yrm7QzafdrhbBpLwWnvywCMW1VfhxP; SameSite=None; Secure; path=/; expires=Tue, 05-Dec-23 16:19:42 GMT; HttpOnly
< set-cookie: _cfuvid=0EgIOcmZAgR3nDKMTKHqcVjdM59KUPHkk2h3BG5Vc_U-1701789582602-0-604800000; path=/; domain=.<http://oryapis.com|oryapis.com>; HttpOnly; Secure; SameSite=None
...
c
Thanks @steep-lamp-91158! We are going to test on our side.
Basically, we have an oauth redirection : 1- We open the browser on iOS to a door access provider 2- They redirect to our idp (Ory) to authenticate the user 3- Ory return the open id session and the provider log the client Here is the information set in the browser, it was working before.
Copy code
const newSource = {
        headers: { 'X-Session-Token': sessionToken, Cookies: '' },
        uri: currentURI,
    };
Right now, it blocks at the second step (Ory) with this error below. The error id is "645008c-1140-41...." Unfortunately, I don't have the full code, we got this screenshot from a client
s
Did you manage to reproduce it? I'll search for the specific error in our monitoring
when did this happen?
c
This is not easy to reproduce because of the door access provider. I was hoping for a change on your side before digging more into reproducing the error. It takes some time to set up.
Let me see in UTC
The hour is trunk but it was 3pm in France today. Let me see in UTC
s
ok that is precise enough, thx
c
2pm UTC
They tried again a few minutes ago. Thanks a lot @steep-lamp-91158
s
Did it work when they tried again?
This is what I found on our side:
Copy code
"details":{"docs":"<https://www.ory.sh/kratos/docs/debug/csrf>","hint":"The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).","reject_reason":"The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
c
No they got the same issue. The problem is that we don't really manage what is done by the provider when redirecting, they might set some cookies
We don't set headers, cookie or csrf token when initiating the auth.
We are going to try more solutions, I will keep you updated. Thanks!
a
@careful-pager-12918 I’m encountering a similar csrf issue when trying to setup custom UIs for a Ory Network/hosted solution. Did you end up getting a solution?
👀 1
b
yes let me know if you find the solution as well
e
I've seen this error too, and find the details a bit confusing
Copy code
"details":{"docs":"<https://www.ory.sh/kratos/docs/debug/csrf>","hint":"The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).","reject_reason":"The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
The 
hint
and 
reject_reason
seem to contradict each other: 
"hint":"The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token)."
"reject_reason":"The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
b
@early-oil-83208 I figured it out, the issue is that you have to pass both the csrf_token cookie and csrf_token token that you get from get_registration_flow. I updated my issue with the solution here: https://github.com/ory/kratos/discussions/3760
e
Thanks, but I think I have both... I suspect I've done something stupid like encoded one of them wrong. The response is still confusing though, because the 
hint
says the 
crsf_token
is missing, but the 
reject_reason
says it's present (but doesn't match the cookie) 🤔
236 Views
Open in Slack
PreviousNext
Powered by