Flowpack.Neos.FrontendLogin - CSRF protection token missing


I’m trying to implement a frontend login on my neos page.

To keep it simple I installed the Flowpack/Flowpack.Neos.FrontendLogin package.
However a Frontend User can’t login and gets presented with a Page not found error.

Page Not Found

Sorry, the page you requested was not found.

#1486500872: The action could not be executed because you supplied no or the wrong CSRF > protection token.

I have installed neos locally via the ddev-and-docker installation guide.

Used Versions:

PHP: 7.4.24
Neos: 7.2.2
Flowpack/Flowpack.Neos.FrontendLogin: 4.2.0
ddev: v1.18.0 (apache-fpm)

I do run on Windows with wsl2, however login to the backend is possible and I don’t have any ddev related issues there. So I think it is something else.


21-12-12 10:29:27 6580     NOTICE    Neos.Flow            Successfully authenticated token: Username: "Testuser"
21-12-12 10:29:27 6580     WARNING   Neos.Flow            Access denied


21-12-12 10:29:27 6580       DEBUG                          Router route(): A cached Route with the cache identifier "5cd0526870cddb53817ff9334c7d53da" matched the request "https://pathologie.ddev.site/en/login?--flowpack_neos_frontendlogin-loginform%5B%40package%5D=flowpack.neos.frontendlogin&--flowpack_neos_frontendlogin-loginform%5B%40controller%5D=authentication&--flowpack_neos_frontendlogin-loginform%5B%40action%5D=authenticate&--flowpack_neos_frontendlogin-loginform%5B%40format%5D=html (POST)".
21-12-12 10:29:27 6580       INFO                           Session: Started session with id sKdPRiscTNXZnCWAILzIm7vWioCnAdBT.
    [array] => 
        [string] => Neos.Flow
        [string] => Neos\Flow\Session\Session
        [string] => start

21-12-12 10:29:27 6580       DEBUG                          CSRF: token was empty but a valid token is required for Neos\Neos\Controller\Frontend\NodeController::showAction()

The Frontend\NodeController::showAction() is annotated with @Flow\SkipCsrfProtection

Any idea why the Annotation is not applied?
Or where I have missed some configuration?

Thanks in advance,

Hi Fabian,

I had the same issue after the upgrade from 7.1 to 7.2.2 (and to 7.3 too) last week.
The problem seems to be with phpdoc-parser. I tryed to debug the class CsrfProtection.
The method matchRequest(ActionRequest $request) calls $this->reflectionService->isMethodTaggedWith($controllerClassName, $actionMethodName, 'skipcsrfprotection') to check whether the csrf-protection should be skipped.

I‘m not sure but I think, something goes with parsing of annotations in this method wrong because some time it is parsed „skipcsrfprotection“ some time (like in your case with Frontend\NodeController::showAction()) „flow\skipcsrfprotection“.

As a temporary solution the if-condition could be extended to compare both variants:

if ($this->reflectionService->isMethodTaggedWith($controllerClassName, $actionMethodName, 'skipcsrfprotection') ||
$this->reflectionService->isMethodTaggedWith($controllerClassName, $actionMethodName, 'flow\skipcsrfprotection'))

For the future, of course, an another solution is needed here.

Best regards

there is an open issue that seems to be related:

Hi Alexander,

Thats exactly the problem. I’ve read through the gh issue of @Marc which points out that the cause for the different parsing is the comment after the tag.

When I move that comment to another line or remove it completely it also fixes the problem.


 * Shows the specified node and takes visibility and access restrictions into
 * account.
 * @param NodeInterface $node
 * @return string View output for the specified node
 * @throws NodeNotFoundException | UnresolvableShortcutException | NeosException
 * We need to skip CSRF protection here because this action could be called with unsafe requests from widgets or plugins that are rendered on the node - For those the CSRF token is validated on the sub-request, so it is safe to be skipped here
 * @Flow\SkipCsrfProtection
 * @Flow\IgnoreValidation("node")

Hi Fabian,

deleting the comment actually takes effect. I searched for „CSRF protection“ in the entire source code - there is no more occurrence of this annotation with comment. So, this solution must be workable.

Yes did the same thing and opened a PR on this.

Until the main issue gets solved at least a FrontendLogin can be used.