Closed as not planned
Description
Environment
- Elixir version (elixir -v): 1.16.3
- Phoenix version (mix deps): 1.7.10
- Operating system: Linux
Actual behavior
To get session in WebSocket, we need to include _csrf_token
in the connection parameters. However, if the CSRF token was generated using Plug.CSRFProtection.get_csrf_token_for/1
, the validation will always fail.
Expected behavior
Should using host specific CSRF token succeed in WebSocket session? (unless it's by design for some reason?).
Explaination
This happens in 1.7.10 but I guess it also happens in the main branch. Given the CSRF token validation function used in Phoenix.Socket.Transport
is Plug.CSRFProtection.valid_state_and_csrf_token?/2
, which only accept the format of the CSRF token to be
<<user_token::@double_encoded_token_size-binary, mask::@encoded_token_size-binary>>,
Maybe the following format should also be considered?
<<@digest, _::binary>> = signed_user_token,
Metadata
Metadata
Assignees
Labels
No labels
Activity