SYSTEM CONNECT STATUS "Unauthorized: CSRF validation failed"

A few things:

• What version of the Services module are you using?
• What version of the DrupalGap module are you running?
• What is your site's URL?

For the two modules mentioned above, make sure you are running the latest recommended release (or dev snapshot) of both.

Also when you visit admin/config/drupalgap, open up your JavaScript console in your browser. Does it report any error(s)?

Are you trying to use the DrupalGap app that is downloaded from Google or Apple?

Or are you building your own app?

I just tried to use FireFox Poster to do a System Connect to your site as an anonymous user... FireFox froze and eventually crashed for me.

However, I noticed that after visiting the URL (http://dm.pcd.ps/?q=drupalgap/system/connect.json) directly, I receive this error:

404 Not found: Could not find the controller.

Go to admin/structure/services and click 'Edit resources' next to DrupalGap, make sure the System Connect resource is enabled. Then flush all of your cache's and try again.

Take a look your your token result:

http://dm.pcd.ps/?q=services/session/token

Compared to an example token from my site:

http://tylerfrankenstein.com/?q=services/session/token

Your token is returning an empty line above the token, mine just returns the token. I think this empty line is what is causing the error in your first screen shot.

Please update your Services module to 3.7.

Also, you may want to check with your website host about their CORS policy:

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

It's possible the multilingual will cause problems when displaying content and users, but it shouldn't interfere with basic set up.

any new news about this?

I have the same problem

https://www.evernote.com/shard/s280/sh/02faae5a-c6e9-45f9-8ebf-97089fc4c...

Please see the troubleshooting guide(s):

https://www.drupal.org/node/2015065

Then report back what techniques you've tried to resolve it, then we can more accurately debug your problem.

i got the same error and i need help in adding the token to each request on my custom drupalgap APP

@dana_deek, see comment #8, and DrupalGap has built in support for the CSRF token.

Also, all future people that stop here. This is a common problem. Simply saying "I got the same error" is not helpful at all. This problem is well documented, please actually try all of the tecnhiques for resolving it listed in this issue and elsewhere. Then report back here what techniques you actually tried to solve the problem.

It is also crucially important that you mention what version of the modules and SDK you are running. And mention what your development environment consists of, Ripple, Android Device/Emulator, iOS Device/Emulator, etc.

Also, you need to manually verify that the System Connect is working properly:

1. Open FireFox
2. Log out of your Drupal site
3. Install Firefox Poster Plugin
4. Open Firefox Poster Plugin
5. Make a POST to http://example.com/?q=drupalgap/system/connect.json
6. Verify JSON results are returned in the result window

Here are related issues:

#2051853: System Connect Status Check Fails
#1884184: The "System Connect" test failed!
https://github.com/signalpoint/DrupalGap/issues/53
http://www.drupalgap.org/troubleshoot

On a related note, today I received the following error:

XMLHttpRequest cannot load http://example.com/?q=services/session/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.com' is therefore not allowed access.

When trying to access the following URL in Chrome + Ripple:
http://example.com/mobile-application

This is because in my app/settings.js file, the site_path is set to http://www.example.com. Since the www is present, I then navigated here:

http://www.example.com/mobile-application

And it worked! This only appears to be a "problem" on some server set ups, I hope this helps somebody!

Hi there, i have the same problem usin the web app localy.

XMLHttpRequest cannot load http://dev-pcabrol.pantheon.io/?q=services/session/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.

if you access the url, you get the token, but not in the web app from localhost.

The other things is that the phonegap application (downloaded from the drupal site) is not working either.

i'm working on
Drupalgap 7.x-1.14
services 7.x-3.12

any help?????

thanks.

@lepabloski,

This is a CORS issue. CORS module can help, but it has some bugs (can only allow either one external domain or any domain access).

I would recommend getting off of pantheon. I ran into issues with them, specifically wasn't able to issue any PUT command from DrupalGap/Drupal Services (required for updating content/users/entities).

Here's my thread when I found that out: https://www.drupal.org/node/2693085

DrupalGap has worked on every other configuration of shared hosing that I've tried it on, and I ended up on Aquia for shared hosting, although their managed dev tools don't always know what to do with Drupal if you move Drupal into a subfolder to run it as a Headless Drupal site, i.e.: http://docs.drupalgap.org/7/Developer_Guide/Headless_Drupal

Hello,
Ive installed Drupal 7 and the module drupal gap and generated and launched the app.
It seems to be working ok. I can login with any created user.
Then when i go to user register form and create a new account, when i submit the form, it gives me the account created alert message saying "Registration Complete!".
However after that it gives me a second alert saying that "CSRF validation failed" and it stays at the same registration form page.
If i go to login, i cannot login with the new user.
But If i refresh the page/app, the new user is logged in. If i logout and go to the login form and login again it works perfectly.
The CSRF error shows up only when creating a new account.
What i want is for the user to be logged in automatically when the account is created.
I installed Login Toboggan in Drupal and Drupalgap, and configured it so that the user will be logged in inmediatelly.
Im working everything on localhost.
Ive tested on poster my url:
http://localhost/sandbox.codeatrium/?q=drupalgap/system/connect.json
it show the "CSRF validation failed" error.
I dont understand why is it that this only happends when registering a new account and the normal login works fine.
Any sugestions on why could it be that this is happening!
Thank you for your help!

I have the same issue as #14

I'm also having the issue described in #14.

Lots of testing revealed that this is caused by Login Toboggan's "Immediate Login" setting (see the attached screenshot). When that setting is activated, the user will be logged in automatically as soon as they register within the app. This is true whether or not the user_register_form has the auto_user_login property set to true or false.

If set to true, Login Toboggan logs the user in right when the user is registered, and the user will be assigned a new CSRF token - one that is associated with that user's account. Then, the app attempts to perform a second login, thus returning the invalid CSRF token error. The CSRF token is invalid because the app tried to use the old CSRF token (the one used upon registration) to log in a second time, instead of using the new CSRF token that the user account now has (as given when Login Toboggan logged the user in the first time).

If set to false, the user will still be logged in by Login Toboggan upon registration. So the user won't see the "invalid CSRF token" error until the next time he/she tries to login within the app.

TL;DR:
The essence of the error is that Drupalgap's Login Toboggan module doesn't take into account how the Drupal Login Toboggan module's "Immediate Login" setting will behave in the context of Drupalgap apps. This is a bug that needs to be fixed.

The workaround (in the meantime) will probably require entirely refreshing the app upon registration form submission. Or just turning off that Login Toboggan setting (if that's an option for you - unfortunately, it's not an option for what I am doing).

Thank you for the very detailed explanation J2. Will you please copy/paste your comment into a new issue with a title related to Login Toboggan? I have a few ideas on how this can be accommadated with DrupalGap core and Login Toboggan.

I am not using the Login Toboggan module, but still have the problem described in #14

@tyler.frankenstein: Yeah I will do that. Which issue queue would be best for it?

@J2: https://www.drupal.org/node/add/project-issue/drupalgap

@styrbaek I'm not sure what's going on with yours... when folks have these types of problems I tend to blame CORS, but I must admit I don't know much about it and have been fortunate that my web hosts environments haven't had any strange issues like these.

@tyler.frankenstein: Here's the issue.