1

Currently setting up CSRF token for POST requests with Ring. I've been following answer to this question as a guide Set Ring-Anti-Forgery CSRF header token. After following this guide I am able to successfully get the csrf token and send a POST request with curl. However, I can only do this at the expense of not using (wrap-reload) with my app handler.

The guide uses this code for the app handler

(def app
  (-> routes
      (wrap-defaults site-defaults)
      (wrap-session)))

However, in order to use dynamic reloading I need the (wrap-reload) function during development. Like so,

(def app
   (-> routes
       (wrap-defaults site-defaults)
       (wrap-session)
       (wrap-exception)
       (wrap-reload)))

I'm pretty sure this is related to a problem addressed by comments in answer for question I linked above. There was a bug creating redundant behavior with setting the middleware defaults.

Is there anyway I can use wrap-reload and still get valid CSRF tokens?

Community
  • 1
  • 1
Harley Swick
  • 51
  • 3
  • Your backend runs on the JVM, that code is setting up your ring server, you can start it using lein run. Figwheel sets up automatic compilation of clojurescript. Your app should serve html that in turn calls the output of figwheel, they are separate processes and shouldn't clash. I recommend you post a link to a minimal working example, otherwise your question is really vague. – Ricardo Acuna Nov 06 '15 at 00:03
  • Okay I understand your point on how figwheel and the ring reloading are separate processes. I guess I should've asked how can I use ring's reload function and get the right CSRF token. The minimal working example for getting the CSRF token is in the link I posted. But it doesn't have ring reloading. – Harley Swick Nov 06 '15 at 04:55
  • `wrap-reload` doesn't do anything to POST requests, see https://github.com/ring-clojure/ring/blob/1.4.0/ring-devel/src/ring/middleware/reload.clj#L7 Can you put example to github and give a link? – edbond Nov 07 '15 at 06:48
  • Edited my question to focus more on ring's reload and the CSRF token and not figwheel or POST requests. However, this bug does prevent me from using POST requests with ring because it requires the CSRF token. At this point I'm thinking of manually setting the token for development. – Harley Swick Nov 07 '15 at 08:27
  • 1
    I can confirm that you should be able to do this without problems. I was using this with figwheel and doing jason calls back to the server with the CSRF token in a header and using the reload middleware with no problems. I don't believe figwheel has anything to do with it unless your somehow storing the CSRF token in a def on the client side, in which case, you need to replace the def with a defonce so that it is not lost when figwheel reloads your client clojurescript. Not enough detials to be more specific. – Tim X Nov 07 '15 at 08:32
  • (POST "/save" {:headers {"x-csrf-token" js/csrf} :params {:state ["foo"]}) works – Harley Swick Dec 18 '15 at 23:53

1 Answers1

2

There isn't enough information to provide specific details of where you problem might be. However, some general hints might be useful.

There is a useful description about running reloadable code on the figwheel site on github. While this description is about writing reloadable clojurescript, the principals apply just as much to the server side.

It is possible that the reason auto-reload might be causing problems with your anti-forgery token is that the session is being stored in a 'def' rather than a defonce. This would mean that when the file which stores the session is reloaded, your session data is lost and this could mean that your csrf token is also lost/replaced with a new value.

It may also be worthwhile looking at the luminus template. It also uses ring-defaults and it handles the csrf token stuff quite nicely. In fact, it uses the selmar template which has been extended to include the csrf token which makes it trivial to modify and set a js var to hold the token so that using the token with ajax post requests is extremely easy. It also works fine with auto-reload.

Tim X
  • 4,158
  • 1
  • 20
  • 26