I want to utilize tornado as a backend server using an Angular 6.x Web Application. If I now send a POST request to my server hosted locally the request arrives but tornado replies with a 403 printing the following:
'_xsrf' argument missing from POST
Since I don't want to turn off xsfr cookies, I now need a solution how to add this specific argument using Angular 6's HttpClient. Angulars official docs only state, that a token is set for all requests made.
There is a now deprecated version that worked by adding the following to the list of providers defined in app.module.ts. However the docs just state to look at the new HttpClient which was not quite helpful.
{
provide: XSRFStrategy,
useValue: new CookieXSRFStrategy('csrftoken', 'X-CSRFToken')
}
Backend-wise cookies are set on login as following:
def post(self):
incorrect = self.get_secure_cookie("incorrect")
if incorrect and int(incorrect) > 10:
return
getusername = tornado.escape.xheml_escape(self.get_argument("username"))
getpassword = tornado.escape.xheml_escape(self.get_argument("password"))
print(getusername)
print(getpassword)
if getusername == "admin" and getpassword == "admin":
self.set_secure_cookie("user", self.get_argument("username"))
self.set_secure_cookie("incorrect", "0")
self.redirect(self.reverse_url("main"))
else:
incorrect = self.get_secure_cookie("incorrect") or 0
increased = str(int(incorrect) + 1)
self.set_secure_cookie("incorrect", increased)
self.write("Wrong username or password")
I absolutely see that this is not secure at all, but more security will be added during further development. This is just a basic example to get all the stuff working.
Maybe one of you has already coped with this and has a solution or at least a hint where to look.
Two things:
_xsrfwhose value is the same as the cookie set by Tornado.How to fix it:
What you have to do is read the value of the cookie set by Tornado. The cookie's name will be
_xsrf.Then, when you send the POST request, include a field called
_xsrfwith the value of the cookie in your form data.