https://www.ory.sh/ logo
Join Slack
Powered by
hey guys, please tell me I am not going insane her...
# talk-kratos
c
hey guys, please tell me I am not going insane here. I am working on migrating my app to helm/k8s and for some dum reason that breaks CSRF, locally and on my old setup everything works fine. Kratos is complaining that it finds the cookie but not the header, altho its literally logging that the header is there....
Copy code
time=2022-08-20T09:23:39Z level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, */* user-agent:axios/0.21.4 x-csrf-token:6mvQVlntqx9jZJDAaaX6Xxlb3RzCeD1sPtQUzRrck2E= x-forwarded-for:172.17.0.1 x-forwarded-host:auth.hangar.test x-forwarded-port:443 x-forwarded-proto:https x-forwarded-scheme:https x-real-ip:172.17.0.1 x-request-id:3a579be8afe2adfe225624dc10f0f869 x-scheme:https] host:auth.hangar.test method:GET path:/self-service/login/flows query:id=472c8afd-5dd0-4659-9fce-d6fece8ef0a2 remote:172.17.0.5:43552 scheme:http]
time=2022-08-20T09:23:39Z level=info msg=An error occurred while handling a request audience=application error=map[debug: details:map[docs:<https://www.ory.sh/kratos/docs/debug/csrf> hint:The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token). reject_reason:The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow.] message:the request was rejected to protect you from Cross-Site-Request-Forgery reason:Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues. stack_trace:
<http://github.com/ory/kratos/x.CSRFErrorReason|github.com/ory/kratos/x.CSRFErrorReason>
	/project/x/nosurf.go:179
<http://github.com/ory/kratos/selfservice/flow/login.(*Handler).fetchFlow|github.com/ory/kratos/selfservice/flow/login.(*Handler).fetchFlow>
	/project/selfservice/flow/login/handler.go:422
I don't even know why I need to add the header, as this is a server call, using the (java) SDK, which just takes the cookie as param, I added the header manually to see if that fixes the error. The docs also don't mention that I would to pass a http header... https://www.ory.sh/docs/kratos/reference/api#operation/getSelfServiceLoginFlow
site note: for some reason the cookie isn't logged in that message but messages before it contain it? more log: https://paste.gg/p/anonymous/6896b437f6da4c04a42f9f5116d29772
r
It's missing in your form when you submit it.
That's at least what it claims
c
I am not submitting the form, this is the request to GET the form:
Copy code
method:GET path:/self-service/login/flows query:id=472c8afd-5dd0-4659-9fce-d6fece8ef0a2
which I call from server side, so it makes zero sense having to provide both the header and the cookie (and docs agree with me), but even if I do both, it still complains, so something is really fucked here
r
I see now, sorry
oh, you are not even using browser flow?
c
np, I appreciate anybody looking at this, I got absolutely no idea anymore, I am close to just trying to compile kratos and add debug logging or something, lol
no, I am using the browser flow, I redirect to /self-service/login/browser, that redirects to my page, which on the server calls GET /self-service/login/flows with the cookie of the client (and for testing also the csrf token as header)
r
so usually i do the following: ā€¢ when no 
?flow
is in the URL, I send the client to kratos to get init the flow ā€¢ when it comes back, it should have 
?flow=
(and not 
?id=
)
then i can fetch the data for forms and csrf based on the query param 
?flow
then submit the form to that URL or do a 
fetch()
(or use an SDK)
c
thats exactly what I am doing, the "id" param is for the request to kratos to get the flow šŸ™‚
r
but what does 
id
?
c
like, this worked for months on my staging instance and locally, I am only trying to get this to work in helm/k8s and for some reason everything is broken
r
c
id
required
string
The Login Flow ID
The value for this parameter comes from 
flow
URL Query parameter sent to your application (e.g. 
/login?flow=abcde
).
r
oh, so you are stuck at fetching the flow info
c
yep, that ends in the csrf violation
r
ok, gotcha, i am bit slow today
let me check what i do
and you fetch server side? (just double-checking)
c
yep
r
i use an sdk
c
I use the java sdk
r
getSelfServiceLoginFlow(id)
c
no wrong the JS one
yep
r
is your sdk up to date ?
it may need a bump
c
well, I can see the request ending up correction in the kratos log, with the cookie and header
but yes, just checked, latest sdk
r
if this is client-side, can you double-check what cookies are attached to the request? in your browser's console
c
the failing request is server -> kratos, but I logged the csrf token + cookie
r
is this a nodejs app?
c
nuxt, yes
its just something fucked with my kratos settings, I am pretty sure
like, I am trying via intellijs HTTP client rn and its failing too
r
i don't know too much how nuxt works, but it looks "fine" as in, you seem to drag the cookie around
it seems that for this particular request, you may not have to send any cookies or csrf tokens
and maybe the fact that you did, threw it off
c
docs explicitly mention that you need to pass the cookie header, the csrf header I added later to try to fix the issue
r
maybe your 
.test
domain has an older cookie still set?
and that collides
c
I think I cleared cookies a million times today, lol
r
haha
c
ok shit I managed to get it working in my HTTP client now so kratos is working
fuck that means something in my code is wrong after all
r
well, better than nothing šŸ˜„
haha
what did you have to change?
c
I just automated stuff
ok cool, now I can fiddle with it to better understand the kratos error message
because
Copy code
client.global.set("cookie_header", response.headers.valuesOf("Set-Cookie")[0].replace("csrf_token_", "csrf_token_2"));
ends in the same error
so the hint is just plainly wrong
r
probably a weird edge case where the error is almost appropriate
your hangar stuff looks neat
is that some kind of e2e testing framework?
the screenshot
c
its intellijs http client
its awesome
r
interesting, like their own version of postman, but in the IDE
c
and miles better, cause jetbrains
it can auto complete urls based on your project
and this whole scripting stuff
even can define tests in it if you want
uuuuh, this might be a race condition actually
yeah no

https://i.imgur.com/lDtBd2k.pngā–¾

I don't understand, I send the request to /login/browser, get the flow and csrf token, send the request to /login/flows with th eid and the csrf token and it ends in an error
wait something is weird, I just saw the 307s
fuck am I talking to the wrong host?
yeah fuck pretty sure thats it
now I can login but my settings page is doing dum redirects, why am I so cursed today
everything is working now, I cant believe all of this was caused by a wrong setting
r
šŸ˜„
so what was actually wrong?
wrong URL somewhere?
c
I talked to admin host not public
r
ugh...
could have been a more obvious error somewhere
are you testing all this locally?
c
well, locally I had other settings, this is why it broke in k8s
(but yes, I have minikube running where I test this)
r
neat, i am playing around with colima right now
c
<-- windows user šŸ˜›
15 Views
Open in Slack
PreviousNext
Powered by