anticsrf issue
# support-questions
t
Hey rp, I'm implementing a solution for session management where we have the login authentication handled externally as well as two-factor authentication. I've been able to get everything working but can't seem to get antiCsrf showing in the Token or in the header. The purpose of this server is to be used for a mobile application
r
hey @tykindsir
are you using header based or cookie based auth?
t
Cookie based
r
can i see the response headers for the API that creates a new session?
t

https://cdn.discordapp.com/attachments/1110837886921756683/1110838435209560115/image.png

eyJraWQiOiJkLTE2ODQ3MTYwNzE3ODIiLCJ0eXAiOiJKV1QiLCJ2ZXJzaW9uIjoiMyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIwMDExczAwMDAxaWQyNHkiLCJleHAiOjE2ODQ5MTg1MDYsImlhdCI6MTY4NDkxNDkwNiwic2Vzc2lvbkhhbmRsZSI6IjY4ZGI4ZjYwLWFmYTAtNGVjNS05OGZkLWNlMjZiY2NjOTlhYSIsInJlZnJlc2hUb2tlbkhhc2gxIjoiYTc1OGIyY2Q5OTc4YTJmNjE3NWNkMDZhZWRmNjlmY2FhOTM3MjUwMGIzMGY4NjRlZDZjOTY2ZGQ3MTM2ZWU1YiIsInBhcmVudFJlZnJlc2hUb2tlbkhhc2gxIjpudWxsLCJhbnRpQ3NyZlRva2VuIjpudWxsLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjcyNzIvYXV0aCIsIjJmYS1jb21wbGV0ZWQiOnsidiI6ZmFsc2UsInQiOjE2ODQ5MTQ5MDY5Mjd9fQ.Vs5wp96PZqwL-s368uao3FIpUcyYHucfSaQYXdhvjv017mroxTtiMx-7DUw9r4INZP7xswX1_yVadKFj3wa3KQ44ghGfZuLhpw3pbI0eqKngR12IXXeCUd5RS098wnICubairXRpSLNc4K6AVcMfp0e_TaJ1bg0amSCepM0UxwlJ9SZ3YBqugDGxIooG3oeE8SSS4b7tf0nWIOa7ix5uuourRxuHcj5QPIibDW1C4TY483gTDjlI_sK7JCf46-FgvRmQEI2FQGZj9hUVM8r4K3rscRBVYv1nMBHS-SM3eQ8L7qc2J2DbgmNIsdkvcJPSYKL1AO7Oh8blW_rkRkCBAw
This is the access token which still requires a claim
the fastify route for the endpoint is:
Copy code
fastify.route({
        method: "POST",
        url: "/login",
        handler: dataController.login,
    });
and the respective method
Copy code
const login = async (req, res) => {
    requestOptions.body = JSON.stringify(req.body);
    try {
        let response = await fetch(
            `${process.env.EXTERNAL_BASE_URI}/auth/login`,
            requestOptions
        );

        let responseBody = await response.json();
        if (responseBody.success) {
            await session.createNewSession(
                req,
                res,
                `${responseBody?.data.account}~login`
            );
            return res.code(200).send({
                success: true,
                data: responseBody.data,
            });
        }
        return res.code(400).send({
            success: false,
            message: `${responseBody.message}`,
        });
    } catch (error) {
        throw error;
    }
};
r
right. So by default, we protect against CSRF using custom header (in this case it's the
rid
header in the request)
if you want to explicitly enable CSRF, you can set the CSRF mode to
VIA_TOKEN
in the session.init on the backend
t
right ok, so I was currently setting rid to 'session', if I adjust that to some v4 uuid for example that will make the csrf effective?
r
not really.
t
I suppose im confused at how the antiCsrf token is actually being checked in this situation
r
yea
i mean for mobile apps, you don't really need anti-csrf anyway
t
Hm, it is react-native so I had some concern
r
not an issue either way
mobile apps don't need anti-csrf protection
t
Lovely, thanks for your time!
2 Views