(REITIT) How to have CSRF token shared by two route branches?

My routes (reitit) have the following branches, from my handler:


Home routes are those which our SPA handles, and service routes are those with DB connection functions. The home-routes don’t care about CSRF (they are all received via GET), but they are responsible for providing the csrf token that will be used by POST requests to the service-routes. Originally we had an issue in that wrap-csrf was being applied in the :middleware of each one, causing token mismatch failures. Then I tried putting it in a over-arching middleware like so (this being a use of reitit I haven’t tried before).

;; used below: 
(defn wrap-base [handler]
  (-> ((:middleware defaults) handler)
      (wrap-session {:cookie-attrs {:http-only true}})
	(-> site-defaults
	    (assoc-in [:security :anti-forgery] false)
	    (dissoc :session)))

       {:path "/"})
      ;(wrap-webjars (constantly nil)) ;; In other applications this was the answer to applying certain middleware
	(constantly (error-page {:status 401, :title "401 - Unauthorized",
				 :image "anakin_sitting.jpg", :caption "It's unfair! How can you be on this website and not be an admin?!"}))

	:not-found #(do (println "Not found:" (prn-str %))
			(error-page {:status 404, :title "404 - Page not found",
				     :image "missing_planet.jpg", :caption "This page ought to be here... but it isn't."}))
	(constantly (error-page {:status 405, :title "405 - Not allowed",
				 :image "anakin_obiwan_mustafar.jpg", :caption "Obi-Wan: Anakin, this is a get method!<br/><br/>Anakin: From my point of view, this is a post method!"}))
	(constantly (error-page {:status 406, :title "406 - Not acceptable"}))}))
;;;;;; AND NOW
     {:middleware [[wrap-base]]})

But now, however, I’m receiving this ugliness, which looks like a pretty low-down error:

2020-06-10 13:32:12,154 [XNIO-7 task-18] ERROR y-video-back.middleware.exception - UT000034: Stream is closed 
java.io.IOException: UT000034: Stream is closed
	at io.undertow.io.UndertowInputStream.read(UndertowInputStream.java:87) ~[undertow-core-1.4.14.Final.jar:1.4.14.Final]
	at io.undertow.io.UndertowInputStream.read(UndertowInputStream.java:78) ~[undertow-core-1.4.14.Final.jar:1.4.14.Final]
	at ring.middleware.format_params$slurp_to_bytes.invokeStatic(format_params.clj:42) ~[na:na]
	at ring.middleware.format_params$slurp_to_bytes.invoke(format_params.clj:35) ~[na:na]
	at ring.middleware.format_params$wrap_format_params$fn__27504.invoke(format_params.clj:77) ~[na:na]
	at ring.middleware.format_params$wrap_format_params$fn__27504.invoke(format_params.clj:92) ~[na:na]
	at ring.middleware.format_params$wrap_format_params$fn__27504.invoke(format_params.clj:92) ~[na:na]
	at ring.middleware.format_response$wrap_format_response$fn__27681.invoke(format_response.clj:194) ~[na:na]
	at y_video_back.middleware$wrap_formats$fn__64106.invoke(middleware.clj:90) ~[na:na]
	at ring.middleware.anti_forgery$wrap_anti_forgery$fn__25266.invoke(anti_forgery.clj:94) [na:na]
	at immutant.web.internal.undertow$wrap_undertow_session$fn__47145.invoke(undertow.clj:72) [na:na]
;;;;;; elided

I thought I’d ask here in case anyone has a solution in place for using :middleware and applying CSRF to multiple branches of a route tree, but if not, I’ll make an issue of it for Reitit.

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.