Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I am trying to figure out why /admin/config/drupalgap would always return "Unauthorized: CSRF validation failed" when logged in as admin.
I tried to post my X-CSRF-Token to ?q=drupalgap/system/connect.json through postman (when logged in) and I have received the same result ""CSRF validation failed"".
If I logout and post my X-CSRF-Token to then same URL I receive a valid result.
Any ideas why this is happening?
Many Thanks!
Comment | File | Size | Author |
---|---|---|---|
#16 | Auto Login.JPG | 14.67 KB | J2 |
Comments
Comment #1
tyler.frankenstein CreditAttribution: tyler.frankenstein commentedA few things:
For the two modules mentioned above, make sure you are running the latest recommended release (or dev snapshot) of both.
Also when you visit admin/config/drupalgap, open up your JavaScript console in your browser. Does it report any error(s)?
Comment #2
drupalpal CreditAttribution: drupalpal commentedFor Services: 7.x-3.5
For DrupalGap: 7.x-1.6
For Drupal: 7.22
The URL is dm.pcd.ps
The error is as follows:
Failed to load resource: the server responded with a status of 401 (Unauthorized: CSRF validation failed) http://dm.pcd.ps/?q=drupalgap/system/connect.json
Thanks!
Comment #3
tyler.frankenstein CreditAttribution: tyler.frankenstein commentedAre you trying to use the DrupalGap app that is downloaded from Google or Apple?
Or are you building your own app?
I just tried to use FireFox Poster to do a System Connect to your site as an anonymous user... FireFox froze and eventually crashed for me.
However, I noticed that after visiting the URL (http://dm.pcd.ps/?q=drupalgap/system/connect.json) directly, I receive this error:
404 Not found: Could not find the controller.
Go to admin/structure/services and click 'Edit resources' next to DrupalGap, make sure the System Connect resource is enabled. Then flush all of your cache's and try again.
Comment #4
drupalpal CreditAttribution: drupalpal commentedYes, I am trying to build my own app.
Yes, I have verified that system connect is enabled.
When trying on Ripple with remote cross domain proxy "disabled" I received the following:
XMLHttpRequest cannot load http://dm.pcd.ps/?q=services/session/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://mobile.local' is therefore not allowed access.
When I set Ripple remote cross domain proxy to remote, I get:
61mKlKyOj2JbYoUIVyZgE02-wqUyDI50W2pBE_y0ZQE' is not a valid HTTP header field value.
One thing that I have noticed that the authentication tab shows: "Services has no setting available"
My website is multilingual,could this cause any problems?
Please find two files that show all my settings:
https://dl.dropboxusercontent.com/u/21104236/combined.pdf
And my app (Which is basically the default app with the settings defined):
https://dl.dropboxusercontent.com/u/21104236/testing.zip
Thank you!
Comment #5
tyler.frankenstein CreditAttribution: tyler.frankenstein commentedTake a look your your token result:
http://dm.pcd.ps/?q=services/session/token
Compared to an example token from my site:
http://tylerfrankenstein.com/?q=services/session/token
Your token is returning an empty line above the token, mine just returns the token. I think this empty line is what is causing the error in your first screen shot.
Please update your Services module to 3.7.
Also, you may want to check with your website host about their CORS policy:
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
It's possible the multilingual will cause problems when displaying content and users, but it shouldn't interfere with basic set up.
Comment #6
tyler.frankenstein CreditAttribution: tyler.frankenstein commentedComment #7
isimgt CreditAttribution: isimgt commentedany new news about this?
I have the same problem
https://www.evernote.com/shard/s280/sh/02faae5a-c6e9-45f9-8ebf-97089fc4c...
Comment #8
tyler.frankenstein CreditAttribution: tyler.frankenstein commentedPlease see the troubleshooting guide(s):
https://www.drupal.org/node/2015065
Then report back what techniques you've tried to resolve it, then we can more accurately debug your problem.
Comment #9
dana_deek CreditAttribution: dana_deek commentedi got the same error and i need help in adding the token to each request on my custom drupalgap APP
Comment #10
tyler.frankenstein CreditAttribution: tyler.frankenstein commented@dana_deek, see comment #8, and DrupalGap has built in support for the CSRF token.
Also, all future people that stop here. This is a common problem. Simply saying "I got the same error" is not helpful at all. This problem is well documented, please actually try all of the tecnhiques for resolving it listed in this issue and elsewhere. Then report back here what techniques you actually tried to solve the problem.
It is also crucially important that you mention what version of the modules and SDK you are running. And mention what your development environment consists of, Ripple, Android Device/Emulator, iOS Device/Emulator, etc.
Also, you need to manually verify that the System Connect is working properly:
Here are related issues:
#2051853: System Connect Status Check Fails
#1884184: The "System Connect" test failed!
https://github.com/signalpoint/DrupalGap/issues/53
http://www.drupalgap.org/troubleshoot
Comment #11
tyler.frankenstein CreditAttribution: tyler.frankenstein commentedOn a related note, today I received the following error:
When trying to access the following URL in Chrome + Ripple:
http://example.com/mobile-application
This is because in my
app/settings.js
file, the site_path is set tohttp://www.example.com
. Since the www is present, I then navigated here:http://www.example.com/mobile-application
And it worked! This only appears to be a "problem" on some server set ups, I hope this helps somebody!
Comment #12
lepabloski CreditAttribution: lepabloski commentedHi there, i have the same problem usin the web app localy.
XMLHttpRequest cannot load http://dev-pcabrol.pantheon.io/?q=services/session/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.
if you access the url, you get the token, but not in the web app from localhost.
The other things is that the phonegap application (downloaded from the drupal site) is not working either.
i'm working on
Drupalgap 7.x-1.14
services 7.x-3.12
any help?????
thanks.
Comment #13
mattshoaf@lepabloski,
This is a CORS issue. CORS module can help, but it has some bugs (can only allow either one external domain or any domain access).
I would recommend getting off of pantheon. I ran into issues with them, specifically wasn't able to issue any PUT command from DrupalGap/Drupal Services (required for updating content/users/entities).
Here's my thread when I found that out: https://www.drupal.org/node/2693085
DrupalGap has worked on every other configuration of shared hosing that I've tried it on, and I ended up on Aquia for shared hosting, although their managed dev tools don't always know what to do with Drupal if you move Drupal into a subfolder to run it as a Headless Drupal site, i.e.: http://docs.drupalgap.org/7/Developer_Guide/Headless_Drupal
Comment #14
x7ian CreditAttribution: x7ian as a volunteer commentedHello,
Ive installed Drupal 7 and the module drupal gap and generated and launched the app.
It seems to be working ok. I can login with any created user.
Then when i go to user register form and create a new account, when i submit the form, it gives me the account created alert message saying "Registration Complete!".
However after that it gives me a second alert saying that "CSRF validation failed" and it stays at the same registration form page.
If i go to login, i cannot login with the new user.
But If i refresh the page/app, the new user is logged in. If i logout and go to the login form and login again it works perfectly.
The CSRF error shows up only when creating a new account.
What i want is for the user to be logged in automatically when the account is created.
I installed Login Toboggan in Drupal and Drupalgap, and configured it so that the user will be logged in inmediatelly.
Im working everything on localhost.
Ive tested on poster my url:
http://localhost/sandbox.codeatrium/?q=drupalgap/system/connect.json
it show the "CSRF validation failed" error.
I dont understand why is it that this only happends when registering a new account and the normal login works fine.
Any sugestions on why could it be that this is happening!
Thank you for your help!
Comment #15
styrbaekI have the same issue as #14
Comment #16
J2I'm also having the issue described in #14.
Lots of testing revealed that this is caused by Login Toboggan's "Immediate Login" setting (see the attached screenshot). When that setting is activated, the user will be logged in automatically as soon as they register within the app. This is true whether or not the
user_register_form
has theauto_user_login
property set totrue
orfalse
.If set to
true
, Login Toboggan logs the user in right when the user is registered, and the user will be assigned a new CSRF token - one that is associated with that user's account. Then, the app attempts to perform a second login, thus returning the invalid CSRF token error. The CSRF token is invalid because the app tried to use the old CSRF token (the one used upon registration) to log in a second time, instead of using the new CSRF token that the user account now has (as given when Login Toboggan logged the user in the first time).If set to
false
, the user will still be logged in by Login Toboggan upon registration. So the user won't see the "invalid CSRF token" error until the next time he/she tries to login within the app.TL;DR:
The essence of the error is that Drupalgap's Login Toboggan module doesn't take into account how the Drupal Login Toboggan module's "Immediate Login" setting will behave in the context of Drupalgap apps. This is a bug that needs to be fixed.
The workaround (in the meantime) will probably require entirely refreshing the app upon registration form submission. Or just turning off that Login Toboggan setting (if that's an option for you - unfortunately, it's not an option for what I am doing).
Comment #17
tyler.frankenstein CreditAttribution: tyler.frankenstein commentedThank you for the very detailed explanation J2. Will you please copy/paste your comment into a new issue with a title related to Login Toboggan? I have a few ideas on how this can be accommadated with DrupalGap core and Login Toboggan.
Comment #18
styrbaekI am not using the Login Toboggan module, but still have the problem described in #14
Comment #19
J2@tyler.frankenstein: Yeah I will do that. Which issue queue would be best for it?
Comment #20
tyler.frankenstein CreditAttribution: tyler.frankenstein commented@J2: https://www.drupal.org/node/add/project-issue/drupalgap
@styrbaek I'm not sure what's going on with yours... when folks have these types of problems I tend to blame CORS, but I must admit I don't know much about it and have been fortunate that my web hosts environments haven't had any strange issues like these.
Comment #21
J2@tyler.frankenstein: Here's the issue.