I see ‘CSRF Failure’ when I try to login or register a new user in the developer portal. We are seeing this issue ever since we upgraded to v2.3 of gateway and v1.3 of dashboard. Is there a fix in the works for this issue?
Hi Akhilesh,
CSRF failures commonly occur when users attempt to log into portals that haven’t been configured with a valid CNAME or set up with any active APIs added (we actually have a Troubleshooting page that describes this issue). Can you please confirm as to whether your portal has been configured with the required settings?
Kind regards,
Jess @ Tyk
We have active APIs and are using the same CNAME as before, with even the same mongo and redis underneath. We had a working portal prior to making the upgrade to v2.3 of gateway and v1.3 of dashboard. We see this happening on the new version deployment.
Hi Akhilesh,
Apologies, there does seem to be an issue with the login button in the navigation bar at present which would also explain this. The bug has been added to our backlog and so will be fixed in a future release. In the mean time, please try disabling the login box in the navigation bar and use the login form at the “/login” path instead.
Apologies again for any inconvenience caused.
Kind regards,
Jess @ Tyk
Hi Jess,
Thanks for confirming the issue. However, we see an issue with the /login form as well as the /register form, both of which give the same ‘CSRF failure’ error when submitted. We have a CNAME set for the portal and also active APIs currently in use. Is there something else I’m missing that might be causing this?
Hi Akhilesh,
We suspect that this behaviour may have been caused by another bug in the Developer portal. This bug seems to affect the way in which the CSRF token in the login form is generated whenever a user attempts to log into the portal after they have already entered an incorrect password. The suggested work-around for the time being is to click the “login” link on the homepage before each login attempt, so as reload page rather than relying on the redirect action in the form (as an incorrect password attempt would force the page to redirect instead).
We are still looking into this issue so if you could let us know how you get on, that would help a great deal.
Kind regards,
Jess @ Tyk
Hi Jess,
Unfortunately, the forms in the /login and /register also don’t work. Can we get a fix or any information on what the fix could be, if its in the portal templates or javascript files, so that we may try to do those fixes and redeploy to get it working as before. We had a plan to roll out portal to our whole IT division for publishing APIs and onboard developers over the next few weeks. Sadly, this issue has stalled those plans. Any help to further our progress on this would be greatly appreciated. Thanks in advance.
Hi Akhilesh,
In that case, there may simply be an issue with your configuration settings as most of our users are able to use those forms with the correct credentials. When you upgraded to version 1.3 of the Dashboard, did you merge your templates with the new ones contained in the latest release? The current templates contain the latest tags, in particular the tag for the CSRF token which might be missing from the pages for each of these forms. The tag should look like the following:
<input type="hidden" name="csrf_token" value="{{ .Token }}">
Kind regards,
Jess @ Tyk
1 Like
Hi Jess,
Thanks a lot for the fix. It works now in the /login and /signup forms. I didn’t anticipate changes in the portal and we were overwriting the portal files, as you guessed, in the dashboard container in our cloud deployments. I made those changes and it works fine now.
Cheers,
Akhilesh
1 Like