CSRF Cookie token for Angular requests

[Georgios Larkou]

I created an assetHandler to server static angular files but when I first request the handler it does not include any CSRF token as a cookie thus if I submit a form it does not include the CSRF token and I get the Unauthenticated User error.

Is it possible to explicitly set the CSRF token?

Here is the handler I created.

   

def assetHandler(file: String): Action[AnyContent] = {
        var name = file


        if (!file.contains(".")) {
          name = Seq("index.html").mkString
        }


        controllers.Assets.at("/public/lib/platform", name)
    }

PS. If I first request another regular controller (e.g. /api/ping) Play sends the CSRF for that request and thus angular is able to use it in every request. Is it a good practise to call an extra controller?

[Greg Methvin]

Hi Georgios,

I'm not that experienced with angular, but perhaps this is related to https://github.com/playframework/playframework/issues/5881

Greg

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/3fbf8b8e-c5a4-432f-9ba0-b5ea79b510aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Greg Methvin

Senior Software Engineer

Lightbend, Inc.

[Georgios Larkou]

Hello Greg,

I answered at the Github issue.

The issue is that controllers that use Play's.Assets.at controller to server static Angular HTML files do not include the CSRF Cookie you mentioned in the Github issue. 

Every other request through a regular controller that returns for example JSON it is correct and has the required cookie. 

Is it a good practise to do a request to a regular controller in order to get the cookie even if I do not need it? For example do a /ping? I think Assets.at should have the CSRF Cookie. Is it possible to use another controller or extend the Assets.at to add the cookie?

[Greg Methvin]

Hi Georgios,

Okay, I'm not sure it's related to that issue. Let's continue the discussion here and we'll open a new one if needed.

Can you tell me which version of Play you're using and what your CSRF filter configuration looks like?

Greg

To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/d19ed7db-a7d6-498c-b606-21f980e112f6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.