Host specific CSRF token doesn't work for WebSocket connect_session

[hikui]

Environment

• Elixir version (elixir -v): 1.16.3
• Phoenix version (mix deps): 1.7.10
• Operating system: Linux

Actual behavior

To get session in WebSocket, we need to include _csrf_token in the connection parameters. However, if the CSRF token was generated using Plug.CSRFProtection.get_csrf_token_for/1, the validation will always fail.

Expected behavior

Should using host specific CSRF token succeed in WebSocket session? (unless it's by design for some reason?).

Explaination

This happens in 1.7.10 but I guess it also happens in the main branch. Given the CSRF token validation function used in Phoenix.Socket.Transport is Plug.CSRFProtection.valid_state_and_csrf_token?/2, which only accept the format of the CSRF token to be

<<user_token::@double_encoded_token_size-binary, mask::@encoded_token_size-binary>>,

Maybe the following format should also be considered?

<<@digest, _::binary>> = signed_user_token,

[SteffenDE]

I believe this may be an issue for the plug repo. It doesn't look like valid_state_and_csrf_token?/2 is meant to be used with a host based token. I don't know why though.

cc @josevalim

[josevalim]

@hikui please do submit a pull request to Plug! It seems we could support hosts in valid_state_and_csrf_token?/2, although we would need to pass the host as a third argument (we can default it to nil otherwise). Once that's ready, then it is a very easy change to act here. We will go ahead and close it on this side for now, thank you!

[josevalim]

Oh, although one thing to keep in mind is that, in order to use the conn.host in production, you will most likely need to pass it through Plug.RewriteOn. And I don't remember if that's configured for WebSockets.