I am getting a CSRF error for ` admin session extend` with t Ory Community #talk-kratos

I am getting a CSRF error for `/admin/session/.../...

white-article-28775

08/02/2022, 10:56 AM

I am getting a CSRF error for

/admin/session/.../extend

, with the following details:

Copy code

{
  "docs": "<https://www.ory.sh/kratos/docs/debug/csrf>",
  "hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
  "reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
}

This is self hosted kratos. I am so confused, other routes work as expected, any idea?

aloof-night-85159

08/02/2022, 1:24 PM

Take a look and see if you're sending the field with that name

csrf_token

in the form. When creating the form, you should create a hidden field with that name and the value that Kratos provides in the nodes section.

white-article-28775

08/02/2022, 1:28 PM

there is no form 🤔 it's the admin route for extension, it just takes a session id.

white-article-28775

08/02/2022, 1:29 PM

V0alpha2Api.adminExtendSession(id: string, options?: AxiosRequestConfig): Promise<AxiosResponse<Session>>

aloof-night-85159

08/02/2022, 1:31 PM

Oh, you´re using the SDK... I don't have experience there, sorry

white-article-28775

08/02/2022, 1:40 PM

Well but the admin extend route doesn't take any form in the API either... https://www.ory.sh/docs/kratos/reference/api#operation/adminExtendSession

red-machine-69654

08/02/2022, 2:33 PM

Form is relative, could be form data. But I see it should be just

PATCH

. Can you try the curl example to see if it works with sdk?

red-machine-69654

08/02/2022, 2:35 PM

I had to update the sdk yesterday, maybe something changed too. I would try that. I mean depending on your version of Kratos.

echoing-caravan-91564

08/02/2022, 3:25 PM

@white-article-28775 which SDK are you using?

white-article-28775

08/02/2022, 3:27 PM

The latest

@ory/client

and

@ory/integrations

on npm

echoing-caravan-91564

08/02/2022, 3:27 PM

@white-article-28775 do you have the code block for your SDK request?

white-article-28775

08/02/2022, 3:28 PM

It's literally just

ory.adminExtendSession(sessionId)

echoing-caravan-91564

08/03/2022, 4:01 PM

How did you set up the client

ory

white-article-28775

08/03/2022, 4:02 PM

With the edge config from

@ory/integrations

, i did the same thing as in the nextjs examle

echoing-caravan-91564

08/03/2022, 4:17 PM

Can you send the config? I'm not familiar with it

white-article-28775

08/03/2022, 4:21 PM

~~It really doesn't have anything...~~ ~~it's just~~

white-article-28775

08/03/2022, 4:23 PM

it's just

Copy code

const edgeConfig = {
  basePath: "/api/.ory",
  baseOptions: {
    withCredentials: true
  }
};

echoing-caravan-91564

08/03/2022, 4:27 PM

honestly I'm essentially dealing with a similar issue, I believe you need to pass the PAT to the request since its an admin endpoint

echoing-caravan-91564

08/03/2022, 4:27 PM

I suggest trying to get in contact with ory staff

white-article-28775

08/03/2022, 4:28 PM

See, the problem is, we also use another admin point (delete identity), and that one works fine 🤷

echoing-caravan-91564

08/03/2022, 4:30 PM

That is weird if another admin point is working...

white-article-28775

08/03/2022, 4:30 PM

Yep...

white-article-28775

08/03/2022, 4:30 PM

Should I just tag one f the devs? x_x

echoing-caravan-91564

08/03/2022, 4:30 PM

Yes, perhaps make a new thread since this one is a bit "messy" 😛

71 Views

Open in Slack

Previous Next