-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication failure! csrf_detected(Rack 3.0.8) #15
Comments
Getting similar issue as well. Suspect may be related to rack/rack#2128 You didn't post a stack trace @viktor-shmigol but does this look like what you're getting?
|
Can you share the HTML for the key/value which might be causing the problem? |
Sure @ioquatix, but I'm guessing it won't be too helpful as it's just the form params that get sent to google oauth endpoint. <form data-turbo="false" action="/users/auth/google_oauth2" accept-charset="UTF-8" method="post"><input type="hidden" name="authenticity_token" value="...redacted..." autocomplete="off">
<button class="btn btn-primary" type="submit">Login with Google</button>
</form> |
I can also verify that downgrading rack back down to |
Looks okay to me, is there some other part we are missing? |
Quickly skim through Rack CHANGELOG and I couldn't spot anything that'd break. Also, doesn't look like Rails' I'll investigate further. Thank you for the report. |
The same issue is also happening with me, with a identical backtrace. I'd like to highlight that it only happens in production environments, so I think it may be related to the middleware stack, but had no success debugging 😔. |
@sikachu did you manage to find anything in your investigation? I maintain a library that uses this gem and one of our customers is reporting that they're experiencing this as well. |
Following as I've just come across the following error when rack >3 is used with rails 7.1 |
Hello. Sorry for the wait, I just had time to look into this again. I was trying to reproduce this using a newly-created Rails app, but I wasn't able to reproduce it. (The app lives here). I tried both in You can see that I'm using Rack 3.0.8 here: https://github.com/sikachu/omniauth-rails_csrf_protection-issue-15/blob/main/Gemfile.lock#L192 Since I think I'm hitting a brick wall in investigating this, would you mind providing more information?
|
Hi @sikachu Thanks for looking into this. To answer your questions: This was tested with with 'omniauth-auth0', '~> 3.1.1' rather than the Google version. (But I belive its the same issue as the google users above are seeing.) After installing the debug branch, the error outputted in the logs is as follows:
Session store: Thanks |
Having the same issue. I just upgraded gems, which moved rack from v2.x to v3.0.8, and started getting After visiting here, I explicitly set
|
So the error logged by @scottsherwood is occurring here?
Not sure how this fits in, but hopefully it points in the right direction? |
Sorry for the slow update. The other day, @nevans opened #16 and reported an issue with thread safety, which could be the root cause of this mismatch (I was only tested this in web server with fork mode). Would you mind pointing to |
After a little more testing, I believe the issue that I was facing was related to phusion/passenger#2503 Updating passenger to the most recent version, which includes a fix, has resolved the issue. |
@scottsherwood I've upgraded the passenger docker image to phusion/passenger-ruby32:3.0.2. |
Since I think this issue was resolved by upgrading Passenger, I'm going to close this issue. Thank you very much for everyone's input for nailing down to the affected service 🙇♂️ |
Hello,
I'm having an error: Authentication failure! csrf_detected on the Production env.
I identified the problem and found it happens when I use the latest gem rack v3.0.8.
However, if I downgrade it to v2.2.8, it's working without an issue.
ruby version: 3.2.2
rails version: 7.1.1
omniauth-rails_csrf_protection 1.0.1
omniauth-google-oauth2 version: 1.1.1
Thanks
The text was updated successfully, but these errors were encountered: