`CSRFTokenMismatchError` on API routes after upgrade to Blitz 2.0 #4127

antonykamp · 2023-04-14T09:57:22Z

antonykamp
Apr 14, 2023

Hey guys 😇

We freshly upgraded from Blitz 0.27.x to Blitz 2.0 🙌
During the upgrade, we noticed a difference between the old and the new API routes, and we have a question regarding best practices.

Please correct me if I'm wrong 🙃 Blitz 0.27.x doesn't use sessionMiddleware in front of the API routes, but Blitz 2.0 does use the big brother AuthServerPlugin at this point.
The result is that Blitz creates a new anonymous session with a CSRF token on a new request to an API route. We can find the session and CSRF token in the responses' cookies now (That's cool 🙌)

In the case of integrations,that send requests to the API routes and reuse the received cookies, they receive the error CSRFTokenMismatchError after the first request.
The first request works flawlessly, and the external integrations receive the anonymous session and CSRF token in the responses' cookies. The following requests fail because the requests' cookies contain an anonymous session token. Still, the header anti-csrf doesn't have the token (only the cookie does) 🤔 The integration doesn't automatically write the CSRF token into the header. Still, it sends the request with the cookies and the anonymous session token. That results in a CSRFTokenMismatchError.

What do you think is the best way to handle this situation? We thought about clearing the cookies in the integration every time. Do you have another idea?

I hope I could make myself clear 😇
I'm looking forward to your ideas 🙃
Antony 💚

Answered by flybayer

Apr 14, 2023

Hi @antonykamp, api endpoints for external integrations do not need anti-CSRF, and therefore usually should not wrap those endpoints with api(). This api wrapper is new in blitz 2, removing it will give you exactly what you had before

View full answer

antonykamp · 2023-04-14T11:37:19Z

antonykamp
Apr 14, 2023
Author

Is it a possible idea to check the cookies in the following line too?

blitz/packages/blitz-auth/src/server/auth-sessions.ts

Line 647 in 3e8f04e

const antiCSRFToken = req.headers[HEADER_CSRF] as string | undefined

0 replies

flybayer · 2023-04-14T23:05:50Z

flybayer
Apr 14, 2023
Maintainer

Hi @antonykamp, api endpoints for external integrations do not need anti-CSRF, and therefore usually should not wrap those endpoints with api(). This api wrapper is new in blitz 2, removing it will give you exactly what you had before

1 reply

antonykamp Apr 15, 2023
Author

Hey, thanks for the quick answer :) This resolves our issue perfectly.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`CSRFTokenMismatchError` on API routes after upgrade to Blitz 2.0 #4127

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

CSRFTokenMismatchError on API routes after upgrade to Blitz 2.0 #4127

antonykamp Apr 14, 2023

Replies: 2 comments · 1 reply

antonykamp Apr 14, 2023 Author

flybayer Apr 14, 2023 Maintainer

antonykamp Apr 15, 2023 Author

`CSRFTokenMismatchError` on API routes after upgrade to Blitz 2.0 #4127

antonykamp
Apr 14, 2023

Replies: 2 comments 1 reply

antonykamp
Apr 14, 2023
Author

flybayer
Apr 14, 2023
Maintainer

antonykamp Apr 15, 2023
Author