https://supertokens.com/ logo
#general
Title
# general
f

FrAgOrDiE

03/30/2022, 4:52 PM
In NestJS I'm setting a POST request which doesn't work if using the Authentication guard. GET requests work, POST don't. It seems to be
resp.headersSent
being true in the authentication guard. How does this work?
r

rp

03/30/2022, 4:53 PM
@User can maybe help out.
p

porcellus

03/30/2022, 5:02 PM
Hi, sorry, I'll be back in 30 mins.
resp.headersSent
should only be set if the response has already started.
f

FrAgOrDiE

03/30/2022, 5:03 PM
don't worry
yeah, but look
1. I'm sending a POST request - https://prnt.sc/PCEzc-Dnx731 2. In the auth guard, before calling the
verifySession
method, headersSent is FALSE - https://prnt.sc/s5tcPLR17ZFl 3. In the auth guard, right after
verifySession()
fires, headersSent is set to TRUE - https://prnt.sc/MrrIlDe6Hks5 4.
Copy code
ts
if (resp.headersSent) {
      throw new STError({
        message: 'RESPONSE_SENT',
        type: 'RESPONSE_SENT',
      });
    }
this code snippets therefore throws an error
the same with a get request... the variable is still set to false
so it doesn't throw an error
p

porcellus

03/30/2022, 5:49 PM
is the err variable set to anything?
f

FrAgOrDiE

03/30/2022, 5:52 PM
No, err is undefined
p

porcellus

03/30/2022, 7:24 PM
hmm, even when
headersSent
is true? I'll look into this more, but that's the only case this should happen.
hmm, I can't really find any reason it should be like this. It's really strange that it's different for post and get, the only reason I can think of is if this guard is running for
/auth
routes or if you set
refreshTokenPath
if neither of those are true: do you have a repo where I can reproduce this issue? or could we try to debug this on a call?
oh, and sorry for the late answer 🙂
r

rp

03/30/2022, 8:53 PM
The other diff between post and get is that get doesn’t require any anti csrf measures. So for example, get won’t require a custom header whilst post would.
f

FrAgOrDiE

03/30/2022, 9:40 PM
yes!
that seems to be the problem! I passed antiCsrfCheck: false to the function and it works
how am I supposed to make it work with csfr check?
r

rp

03/30/2022, 9:42 PM
I see. In the sign in request, do you get an explicit anti CSRF token back?
f

FrAgOrDiE

03/30/2022, 9:42 PM
{{baseURL}}/auth/signinup/code/consume
this one?
I don't see anything related to csrf in any request
r

rp

03/30/2022, 9:44 PM
no i mean in the reponse header from that API call
Do you get any token indicating anti csrf token back?
f

FrAgOrDiE

03/30/2022, 9:45 PM
the response:
cookies
headers
so, I guess no I don't
r

rp

03/30/2022, 9:46 PM
Alright
So in the request header to the POST API call that's failing, you should pass the the header
rid: anti-csrf
to it
f

FrAgOrDiE

03/30/2022, 9:48 PM
that's weird, is it a workaround?
r

rp

03/30/2022, 9:49 PM
not a work around. It seems that based on your apiDomain and websiteDomain values, some anti csrf measure is needed. Passing a custom header is an anti-csrf measuer: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers
it is working if you pass that header?
f

FrAgOrDiE

03/30/2022, 9:49 PM
yes
r

rp

03/30/2022, 9:49 PM
also, when using our frontend SDK, this header is added automatically to your requests.. so you don't need to do anything special there. Jusr via postman, you have to set this.
f

FrAgOrDiE

03/30/2022, 9:50 PM
ahhhhh
okay, awesome, thank you so much for your time
5 Views