I'm getting an "Invalid anti-forgery token" when I try using POST method in a Clojure Webapp project I created using Compojure template.
I researched, and Ring middle ware creates CSRF (cross site request forms) tokens to authenticated requests coming from other sites (to use someone else's credentials who has already logged in and access pages not allowed to access).
These tokens are default, and we need to use ring.middleware 's wrap-params around our WebApp. Couldn't get anywhere much. Please HELP !! How to get rid of Invalid anti-forgery token.
My handler.clj file is :
(ns jsonparser-webapp.handler
(:require [compojure.core :refer :all]
[compojure.route :as route]
[jsonparser-webapp.views :as views])
(:use [ring.middleware.params :only [wrap-params]])
(defroutes app-routes
(GET "/"
[]
(views/home-page))
(GET "/goto"
[]
(views/goto))
(POST "/posted"
{params :params}
(views/posted params))
(route/not-found "Not Found"))
(def app
(wrap-params app-routes site-defaults))
My views.clj file is
(ns jsonparser-webapp.views
(:require [hiccup.page :as hic-p]
[hiccup.form :as hf]))
(defn gen-page-head
[title]
[:head
[:title title]])
(defn home-page
[]
(hic-p/html5
(gen-page-head "Json Parser Home.")
[:h1 "Welcome."]
[:p "Json Web App."]
[:a {:href "http://localhost:3000/goto"} "Goto"]
[:p (hf/form {:action "/posted" :method "POST"}
(hf/text-field "TextInput")
(hf/submit-button "Submit"))]))
(defn goto
[]
(hic-p/html5
(gen-page-head "Goto Page.")
[:h1 "Hi."]
[:p "Go where?"]))
(defn posted
[{:keys [x]}]
(hic-p/html5
(gen-page-head "Posted.")
[:h1 "You posted."]
[:p x]))
Project created using Compojure template of Clojure in Eclipse CounterClockwise.
Anti-Forgery TokensOne token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values. When the client submits the form, it must send both tokens back to the server.
The common “possible solutions” to anti-forgery token/cookie related issues are disabling output caching and enabling heuristic checks.
The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
ASP.NET Core uses a hidden field to store the anti-forgery token and uses the ValidateAntiForgeryToken attribute to validate the token. As the token is sent to the browser in a hidden field, it is also stored in an HttpOnly cookie.
You have to add (anti-forgery-field)
to your form, so that the anti forgery token is injected into the POST params.
Like this:
(ns jsonparser-webapp.views
(:require [hiccup.page :as hic-p]
> [ring.util.anti-forgery :refer [anti-forgery-field]]
[hiccup.form :as hf]))
(defn gen-page-head
[title]
[:head
[:title title]])
(defn home-page
[]
(hic-p/html5
(gen-page-head "Json Parser Home.")
[:h1 "Welcome."]
[:p "Json Web App."]
[:a {:href "http://localhost:3000/goto"} "Goto"]
[:p (hf/form {:action "/posted" :method "POST"}
(hf/text-field "TextInput")
> (anti-forgery-field)
(hf/submit-button "Submit"))]))
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With