https://www.ory.sh/ logo
Powered by
e

enough-winter-51484

01/14/2022, 2:15 PM
Hi, I am trying to setup a registration flow with ajax. It runs all on localhost. I serve Kratos with the --dev parameter and the there is a env variable with true. I have issues with CSRF and cookies. The docs says, if I run it in dev mode, it wil disable same-site Lax. But the response from the flow initialization does have same-site Lax. Am I doing something wrong? Client is running on localhost:8080, Kratos on localhost:8081 docs: https://www.ory.sh/kratos/docs/debug/csrf/#samesite-attribute
I searched in the repo on Github, I am nog experienced with the GO language. But it looks like the SameSite is set here: https://github.com/ory/kratos/blob/cc99096d07408c8b713ef9a7b17b8345597a9129/x/nosurf.go#L142 It looks like 
sameSite = http.SameSiteLaxMode
isset when it is in dev mode.
h

high-optician-2097

01/14/2022, 3:26 PM
Maybe this is documented incorrectly
e

enough-winter-51484

01/14/2022, 3:30 PM
Ok, but is there a way to work with this on localhost?
p

proud-plumber-24205

01/14/2022, 4:15 PM
hey @User maybe the host is incorrect? localhost vs 127.0.0.1
can you also give me some more information, such as logs on kratos and browser requests? I need a bit more understanding of what you have issues with.
e

enough-winter-51484

01/14/2022, 4:43 PM
Hi Alano, i'm not back home anymore. I can answer tommorow with more details. But the initial flow requests gives a cookie back with domain localhost en samestite Lax. The cookie was not stored in chrome and not send with the actual registration request. Te response is the CSRF error. For logs from Kratos, I have to look tomorrow. I checked if it was running in dev mode in the logs before, and it was.
Hi, I am back home earlier. I have the logs right here. I don't see anything remarkable. The request with the 403 status (CRSF error) is logged. What can I possibly look for that you can use to help me?
Yes found the problem 🙂
I am using the 
@ory/kratos-client
node package. I use the 
initializeSelfServiceRegistrationFlowForBrowsers
and the 
submitSelfServiceRegistrationFlow
methods. The problem is, the requests (with axios) are not handling credentials by defualt. You have to set the 
withCredentials
parameter. Like:
Copy code
sdk.initializeSelfServiceRegistrationFlowForBrowsers(undefined, {
  withCredentials: true,
})
and:
Copy code
sdk.submitSelfServiceRegistrationFlow(id, payload, {
  withCredentials: true,
})
I searched for the SDK repo, and maybe default settings for axios, looking for creating a PR. But did not found it,
h

high-optician-2097

01/15/2022, 9:31 AM
@User could you create a discussion with all the context and maybe screenshots from your dev console showing the cookies? It's so difficult to get the context in slack 😕 You can link it here and ping us, we are back in office on monday 🙂
e

enough-winter-51484

01/15/2022, 9:39 AM
Yes, but in which repo? It is solved by the withCredentials option in the sdk.
h

high-optician-2097

01/15/2022, 9:42 AM
Ah! Ok 🙂 I didn't see that. If you solved it, maybe add it to the docs in Ory Kratos where you would expect it?
4 Views
Powered by