-
-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Downstream services times out reading request body when csrf is set to cookie-accessible-from-js #203
Comments
I'm not sure I have a |
It should just be a simple html form post.
For extra context on the reason for this structure: From the BFF tutorial, it's putting the resource server behind the BFF gateway under the security matchers that would then also require CSRF, as opposed to the BFF's own resource server. From this example, the specific focus is on the
|
Describe the bug
Downstream services times out reading request body of POST application/x-www-form-urlencoded request in BFF pattern when
csrf: cookie-accessible-from-js
It works just fine if csrf is disabled, with exactly the same request going through the BFF.
I've just started using this project with version
7.6.11
, so it might be the case that I'm miss configuring something here or using it in a way that is not best practise. Or maybe I just missed a part in the documentationCode sample
Example request
Expected behavior
Downstream service should be able to read the incoming request body
Additional context
The only difference I can see in implementation and execution when the csrf is enabled and required, is that
ServerCsrfTokenRequestHandler.resolveCsrfTokenValue()
is not invoked through theSpaCsrfTokenRequestHandler()
described inReactiveConfigurationSupport
when csrf is set toCOOKIE_ACCESSIBLE_FROM_JS
I think the core problem might be that this method of resolving the csrf first attempts to read it from the form data (even though the token is available in the header) in
resolveCsrfTokenValue()
whenexchange.getFormData()
is invoked.As I understand, this body can only be read once, but it is cached. I thought this would mean that it would safely propagate to the downstream service, but this does not seem to be the case. As when this line is executed, the downstream service times out when attempting to read the request body.
The text was updated successfully, but these errors were encountered: