How do I get forms to POST when (with-csrf-token) is enabled?

[ohmyohmyohmy]

Hi all,

I keep getting status=403 when (with-csrf-token) is one of the middlewares. What am I doing wrong, and how can I fix this? What do I need to know to get this to work?

Thanks for your help.

(use joy)

# Layout
(defn app-layout [{:body body :request request}]
  (text/html
    (doctype :html5)
    [:html {:lang "en"}
     [:head
      [:title "joy-tester"]
      [:meta {:charset "utf-8"}]
      [:meta {:name "viewport" :content "width=device-width, initial-scale=1"}]
      [:meta {:name "csrf-token" :content (csrf-token-value request)}]]
     [:body.light-gray.bg-near-black
       body]]))

(defn time? []
  (os/strftime "%H:%M:%S"))

(defn form [type text]
  [:form {:action "/hello" :method (if (= type :post) "post" "get")}
   [:input {:type "submit" :value text}]])

(defn home [request]
  [:div {:class "tc"}
   [:h1 "You found joy!"]
   [:p {:class "code"}
    [:b "Joy Version:"]
    [:span (string " " version)]]
   [:p {:class "code"}
    [:b "Janet Version:"]
    [:span janet/version]]
   (form :post "POST")
   (form :get "GET")
   [:div {:id "testing123"}]])


(defn tester [request]
  (pp request)
  [:div {:id "testing123"} (string "This is a test: " (time?))])

(defn new [request]
  (form-for [request :create]
    [:input {:type "text" :name "username"}]))

# Routes
(route :get "/" :home)
(route :post "/hello" :tester)
(route :get "/hello" :tester)

# Middleware
(def app (-> (handler)
             (layout app-layout)
             (with-csrf-token)
             (with-session)
             (extra-methods)
             (query-string)
             (body-parser)
             (json-body-parser)
             (server-error)
             (x-headers)
             (static-files)
             (not-found)
             (logger)))

# Server
(defn main [& args]
  (let [port (get args 1 (os/getenv "PORT" "9001"))
        host (get args 2 "127.0.0.1")]
    (server app port host)))

[swlkr]

You can use form-for or find the csrf-token and put that as a hidden input in your form defn

https://github.com/joy-framework/joy/blob/master/docs/form-submission.md#submitting-a-form-with-no-protection

[ohmyohmyohmy]

Thanks! It works now.

Except in the example above, in the hidden input, name="csrf-token" doesn't work. It's works when name="__csrf-token", as found inside form-for.

[swlkr]

Ahhh good catch yes need the double underscore, I'll have to update that