Skip to content

CSRF error when updating user profile from sale tunnel in production #2669

New issue
New issue
Open
Open
CSRF error when updating user profile from sale tunnel in production#2669
Labels
bug
@NamFra

Description

@NamFra
NamFra
opened on Jul 11, 2025

Bug Report

Problematic Behavior

When going through the sale tunnel, attempting to subscribe after updating user's full name results in a 403 error (CSRF Failed) when the PATCH request is sent to the Open edX user API.

Image

The browser console shows:

Image

Response:

PATCH <https://lms.fun-mooc.fr/api/user/v1/accounts/username> 403 Forbidden 
{"detail":"CSRF Failed: CSRF token missing or incorrect."}

Expected behavior/code

Users should be able to update their name from the sale tunnel within Richie.

In preproduction, the update works as expected and correctly updates the "Full Name" field on the Open edX account settings page: https://lms.fun-mooc.fr/account/settings

Steps to Reproduce

  1. Go to a training on fun-mooc.fr
  2. Open the sale tunnel
  3. Attempt to update the full name field
  4. Click on Subscribe
  5. Observe the 403 (CSRF Failed) error in the browser console

Environment

  • Richie version: 1.44.0
  • Platform: production

Possible Cause

It seems the issue comes from sending the request from www.fun-mooc.fr to lms.fun-mooc.fr, and the expected CSRF token is not accessible in this context.

  • In preprod, the domain has an edx_csrf_token cookie, whose value matches the edx_csrf_token expected by the LMS. This token is therefore accepted when sent in authenticated requests.
Image
  • In production, the domain www.fun-mooc.fr does not have the edx_csrf_token cookie. It only has a csrftoken which does not match the one expected by the LMS (lms.fun-mooc.fr) and is not usable for authentication. As a result, the PATCH request systematically fails with a CSRF error.
Image

Additional context/Screenshots

  • An error is also reported in Sentry, pointing to openedx-fonzie.ts:
Error: [POST - Account] > 403 - 
  at call(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:89:22)
  at tryCatch(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:2:1)
  at _invoke(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:2:1)
  at a(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:2:1)
  at asyncGeneratorStep(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:2:1)
  at _throw(./node_modules/richie-education/js/api/lms/openedx-fonzie.ts:2:1)

richie/src/frontend/js/api/lms/openedx-fonzie.ts

Line 89 in cfad257

handle(new Error(`[POST - Account] > ${e.code} - ${e.message}`));

More context:

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions