Plug.CSRFProtection.InvalidCSRFTokenError
Is there some documentation I can refer to about handling CSRF error for email confirmation using Ash Authentication. Clicking on the Confirm button on the confirmation email gets me this error.
Plug.CSRFProtection.InvalidCSRFTokenError at POST /auth/user/confirm
invalid CSRF (Cross Site Request Forgery) token, please make sure that:
* The session cookie is being sent and session is loaded
* The request include a valid '_csrf_token' param or 'x-csrf-token' header
2 Replies
thats a bit unusual - clicking a link in an email isn't a POST request
oh... I had the router setting wrong. This helped. Thanks!
https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787
GitHub
Email link auto-click account confirmation vulnerability
Impact
The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanne...