Anti forgery token error when calling a clojure function in luminus

I am learning clojure with luiminus and I am trying to parse arguments following an example. By using curl I am sending username and password to be printed calling foo in the following route. However, I get the “Invalid anti-forgery token error”. And I have looked for solutions but can’t find any. Note that I am using the wrap middleware line also. Any suggestions?

curl --header "Content-Type: application/json" --request POST --data '{"username":"xyz","password":"xyz"}' 'localhost:3000/foo/bar?foo=bar'
(ns wkom.routes.home
  (:require
   [wkom.layout :as layout]
   [wkom.db.core :as db]
   [clojure.java.io :as io]
   [wkom.middleware :as middleware]
   [ring.util.response]
   [ring.util.http-response :as response]))

(defn home-page [request]
  (layout/render request "home.html" {:docs (-> "docs/docs.md" io/resource slurp)}))

(defn about-page [request]
  (layout/render request "about.html"))

(defn bootstrap [request]
  (layout/render request "bootstrap.html"))

(defn form [request]
  (layout/render request "form.html"))

(defn foo2 [{:keys [path-params query-params body-params]}]
  (print "from foo2\n")
  {:status 200 :body (str "path params: " path-params "\nquery params: " query-params "\nbody params: " body-params)})

(defn home-routes []
  [ "" 
   {:middleware [middleware/wrap-csrf
                 middleware/wrap-formats]}
   ["/foo/:bar" {:post (fn [{:keys [path-params query-params body-params]}]
                {:status 200 :body   (str "path params: " path-params
                                      "\nquery params: " query-params
                                      "\nbody params: " body-params)})}]
   ["/" {:get home-page}]
   ["/about" {:get about-page}]
   ["/bootstrap" {:get bootstrap}]
   ["/form" {:get form
             :post foo2}]
   ["/foo2/:bar" {:post foo2}]])

The CSRF stuff requires that every form POST includes the randomly-generated token that was added by the middleware when the form was generated – it’s done to specifically defeat attempts to POST to the app outside of actually clicking through the pages to fill out the form.

Comment out or remove this middleware from your routes

1 Like

That turns off the security. It’s there for a reason :slight_smile:

ok, if not comment it out, is tnere any other way?

Yes of course. I was under the impression that @md1frejo is in a exploration phase, where it would be helpful to be able to test requests through curl. That is actually how I did it when learning Luminus :grinning:. But maybe there is a another way?

right, I am doing it fpr learning purposes but if there is another way to avoid the error I would be happy to learn.

You can follow here; clojure - Set Ring-Anti-Forgery CSRF header token - Stack Overflow

The idea is to create a route that returns the csrf token for the session, so you can use curl on that, get the token and then use curl again providing the token in the header.

That said, I’m not sure if having such an API that returns the csrf token for a session is super safe either.

1 Like