https://supertokens.com/ logo
Join Discord
Powered by
In NestJS I'm setting a POST request which doesn't...
# general
f
In NestJS I'm setting a POST request which doesn't work if using the Authentication guard. GET requests work, POST don't. It seems to be 
resp.headersSent
being true in the authentication guard. How does this work?
r
@User can maybe help out.
p
Hi, sorry, I'll be back in 30 mins. 
resp.headersSent
should only be set if the response has already started.
f
don't worry
yeah, but look
1. I'm sending a POST request - https://prnt.sc/PCEzc-Dnx731 2. In the auth guard, before calling the 
verifySession
method, headersSent is FALSE - https://prnt.sc/s5tcPLR17ZFl 3. In the auth guard, right after 
verifySession()
fires, headersSent is set to TRUE - https://prnt.sc/MrrIlDe6Hks5 4.
Copy code
ts
if (resp.headersSent) {
      throw new STError({
        message: 'RESPONSE_SENT',
        type: 'RESPONSE_SENT',
      });
    }
this code snippets therefore throws an error
the same with a get request... the variable is still set to false
so it doesn't throw an error
p
is the err variable set to anything?
f
No, err is undefined
p
hmm, even when 
headersSent
is true? I'll look into this more, but that's the only case this should happen.
hmm, I can't really find any reason it should be like this. It's really strange that it's different for post and get, the only reason I can think of is if this guard is running for 
/auth
routes or if you set 
refreshTokenPath
if neither of those are true: do you have a repo where I can reproduce this issue? or could we try to debug this on a call?
oh, and sorry for the late answer 🙂
r
The other diff between post and get is that get doesn’t require any anti csrf measures. So for example, get won’t require a custom header whilst post would.
f
yes!
that seems to be the problem! I passed antiCsrfCheck: false to the function and it works
how am I supposed to make it work with csfr check?
r
I see. In the sign in request, do you get an explicit anti CSRF token back?
f
{{baseURL}}/auth/signinup/code/consume
this one?
I don't see anything related to csrf in any request
r
no i mean in the reponse header from that API call
Do you get any token indicating anti csrf token back?
f
the response:
cookies
headers
so, I guess no I don't
r
Alright
So in the request header to the POST API call that's failing, you should pass the the header 
rid: anti-csrf
to it
f
that's weird, is it a workaround?
r
not a work around. It seems that based on your apiDomain and websiteDomain values, some anti csrf measure is needed. Passing a custom header is an anti-csrf measuer: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers
it is working if you pass that header?
f
yes
r
also, when using our frontend SDK, this header is added automatically to your requests.. so you don't need to do anything special there. Jusr via postman, you have to set this.
f
ahhhhh
okay, awesome, thank you so much for your time
5 Views
PreviousNext
Powered by