[Haskell-cafe] Yesod CSRF token

fr33domlover fr33domlover at riseup.net
Wed Feb 17 10:38:25 UTC 2016


I started a new Yesod web app few days ago. I'm using stack, LTS-5.1, and the
yesod-postgres scaffolding.

When I try to log in into my new minimal app, I get an error: A valid CSRF
token wasn't present in HTTP headers or POST parameters. That's because the
POST request doesn't include that token for some reason. But I don't know why.

I found a recent PR which removes the CSRF token checking from the scaffolding,
but I do want CSRF protection to work. As a Yesod beginner, I'm not sure
exactly why the token doesn't get inserted where it should (the Yesod book says
yesod-form does insert it, so I assume this is a bug here) and how I can fix
that. Even if I inserted the token manually into the login form, what about all
the other POST requests my app may use, such as logout?

I also found a commit that adds the token to the redirectToPost function in
yesod-core, but

(1) It's in the most recent release, not in LTS
(2) I'm not sure it has anything to do with it because it seems to be some sort
of JS based form

Anyone knows whether this is a known issue and how to fix it?


More information about the Haskell-Cafe mailing list