CSRF token is not generated in DEV about playframework HOT 9 CLOSED

Thanks a lot for figuring out my understanding gap about the "Aditional Cookie part" for causing the problem for so long. I am very sorry for wasting your time. I think the issue can be closed.

from playframework.

The CSRFFilter is enabled automatically in Play, you do not need to enable it with play.filters.enabled += "play.filters.csrf.CSRFFilter", please remove that. See https://www.playframework.com/documentation/3.0.x/Filters#Default-Filters

How do yo call your /post route? From a twirl view? With curl? You need to send generate a csrf token or cookie somehow before and send that to this route so Play knows about it.

from playframework.

I updated the issue.

1. Without play.filters.enabled += "play.filters.csrf.CSRFFilter" is also not generated. That is why I added that in application.conf.
2. I used postman for calling the "/post". In the previous versions of play I did not encounter such thing. Basically, that would cause an authentication issue in the past version due to not sending the csrf token with the header from postman, but in this case, I did not send a csrf token with the header, and no authentication complaint was raised. That means CSRFFilter is not checked by the filter returning 200 status.

from playframework.

The main issue is crsf token is not checked by the application. I updated the issue.

from playframework.

Can you please provide me the exact curl command you run, including the -v verbose flag? Thanks!

from playframework.

And you say in Play 2.8 it behaved differently?

from playframework.

curl -X POST -H "Content-Type: application/json" -d '{"name": "John Doe", "age": 30, "city": "New York"}' http://127.0.0.1:9000/post -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:9000...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9000 (#0)
> POST /post HTTP/1.1
> Host: 127.0.0.1:9000
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 51
> 
* upload completely sent off: 51 out of 51 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Permitted-Cross-Domain-Policies: master-only
< Date: Mon, 13 Nov 2023 08:26:24 GMT
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 4
< 
* Connection #0 to host 127.0.0.1 left intact

from playframework.

And you say in Play 2.8 it behaved differently?

yes, that would return a 401 (If I am not wrong). It was mandatory to attach the valid non-expired csrf token with the header in name "Csrf-Token"

from playframework.

I am pretty sure everything is ok. Please read the docs:

Play will require a CSRF check when all of the following are true:

• The request method is not GET, HEAD or OPTIONS.
• The request has one or more Cookie or Authorization headers.
• The CORS filter is not configured to trust the request’s origin.

Your curl command does not have a cookie nor a Authorization header.
When I

1. add --cookie "USER_TOKEN=Yes" to your curl command or
2. add a header -H "Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"

then I get a 403 Forbidden response. Also the Play app now logs:

2023-11-13 12:35:25 WARN  play.filters.CSRF  [CSRF] Check failed because no token found in headers for /post

I also tested with Play 2.8.21 and it has the exact same behaviour. If no cookie and no Authorization header gets send then it reponds with 200 OK.
I also checked

git difftool 2.8.21..2.9.0 web/play-filters-helpers/src/main/scala/play/filters/csrf/
git difftool 2.8.21..2.9.0 web/play-filters-helpers/src/main/java/play/filters/csrf/

and there are no relevant changes that would change the behaviour.

I am pretty sure everything is ok.

from playframework.