Contrib.social

Invalid CSRF token using flag.link_builder service

Open on Drupal.org →
Created on 22 May 2020, almost 5 years ago
Updated 26 February 2023, about 2 years ago

I have a REST route that returns a list of user accounts. I have a flag setup called 'following' as you can follow and unfollow other members. In my REST route, I use:

$flag_link = \Drupal::service('flag.link_builder')->build('user', $member->id(), 'following');

which generates the link correctly as far as I can tell. In my javascript object I can see the link that was created. This is an example of the JS object of a user that I use on the front end:

0:
  flag_link:
    #access: true
    #action: "flag"
    #attached: {placeholders: {…}, library: Array(1)}
    #attributes: {title: "", href: "/flag/flag/following/3?destination&token=FS3qUJ8qDXd5aIqcn1lM459kYsfNuC5b_iePn_E1V5g", class: Array(1)}
    #cache: {contexts: Array(1), tags: Array(0), max-age: -1}
    #flag: {id: "following", label: "Following"}
    #flaggable: {}
    #theme: "flag"
    #title: {#markup: "Follow this person"}
  id: "3"
  name: "ronnie"
  url: "/user/3"

When I go to click the link it 403 forbiddens with the message message: "'csrf_token' URL query argument is invalid."

Any idea what I am doing wrong?

🐛 Bug report
Status

Needs work

Version

4.0

Component

Flag core

Created by

🇺🇸United States rondog469

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago
    🇺🇸United States bkosborne New Jersey, USA

    I understand this patch is unlikely to be committed in its current state given the recent comments, but here's a version of it that applies against the latest beta for those that are using it already and it works for their use case.

  • Comment over 1 year ago
    🇮🇹Italy Giuseppe87

    I'm facing a issue with a view and flag:

    I've a view on nodes, with the ajax flag field displayed.
    For most of them, the ajax flag\unflagging works.
    However, for some of them, the link fails with an access denied.
    I can't determine why only a minor part of them has this problem, but from the log and debug is definitely because the CSRF token generated for those links isn't correct.

    Either disabling the cache for the view, or using the patch at "nojs"/"ajax" route parameter in use-ajax link breaks CSRF protection 🐛 "nojs"/"ajax" route parameter in use-ajax link breaks CSRF protection Needs work solve the problem.

  • Comment over 1 year ago
    m_hobby

    Hi, would like to echo @Giuseppe87.
    I have a similar setup with an ajax flag/unflag, and after the last set of updates to the flag/flag Bookmark.
    I have been facing 'csrf_token' URL query argument is invalid'.
    Both solutions mentioned in #21 work (in case someone else is having this issue).

  • Assigned to RohitRawat676
  • Status changed to Active over 1 year ago
  • Comment over 1 year ago
    🇮🇳India RohitRawat676
  • Issue was unassigned.
  • Status changed to Needs review over 1 year ago
  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.x + Environment: PHP 7.3 & MySQL 5.7
    last update over 1 year ago
    46 pass
  • Comment over 1 year ago
    🇮🇳India RohitRawat676
  • Comment over 1 year ago
    🇵🇱Poland besek

    I had the same issue and from solutions in #21 only disabling cache had positive effect. Patch from "nojs"/"ajax" route parameter in use-ajax link breaks CSRF protection 🐛 "nojs"/"ajax" route parameter in use-ajax link breaks CSRF protection Needs work unfortunately didn't help

  • Comment 3 months ago
    🇫🇮Finland anaconda777

    Same as #25
    Only disabling cache from the view which has these flag links solves the problem.
    Not the Drupal core patch or patches here fixes the issue for me.

  • Comment about 1 month ago
    🇺🇦Ukraine knyshuk.vova

    #20 fixes the issue for me, but it can't be applied for 8.x-4.0-beta6.

    The patch can be used as a temporary solution while a better approach is not implemented yet.

    I updated the #20 patch to be compatible with 8.x-4.0-beta6 and changed the variable names.

  • Comment about 1 month ago
    🇫🇮Finland anaconda777

    #27 fixed for me!! Thank you so much.

    So my problem was:

    A view which displays content, each content has flags "like". (The view has infinity scroll and ajax enabled)

    Without patch:
    The view works perfectly with cache on, when there are no exposed filters.
    When I add a exposed filter, and user sorts the view with exposed filters, (the view loads with ajax no page refresh)
    then some of the flagging links does not work and gives this 'csrf_token' URL query argument is invalid.

    With patch, I can now use views exposed filters, have cache on and the view can be sorted and filtered without page refresh and all the flagging links seems to be working.

  • Comment 28 days ago
    ivnish Kazakhstan

    MR needs reroll. Also needs tests

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024