I’m trying to implement a frontend login on my neos page.
To keep it simple I installed the Flowpack/Flowpack.Neos.FrontendLogin package.
However a Frontend User can’t login and gets presented with a Page not found error.
Page Not Found
Sorry, the page you requested was not found.
#1486500872: The action could not be executed because you supplied no or the wrong CSRF > protection token.
I have installed neos locally via the ddev-and-docker installation guide.
I do run on Windows with wsl2, however login to the backend is possible and I don’t have any ddev related issues there. So I think it is something else.
21-12-12 10:29:27 6580 DEBUG Router route(): A cached Route with the cache identifier "5cd0526870cddb53817ff9334c7d53da" matched the request "https://pathologie.ddev.site/en/login?--flowpack_neos_frontendlogin-loginform%5B%40package%5D=flowpack.neos.frontendlogin&--flowpack_neos_frontendlogin-loginform%5B%40controller%5D=authentication&--flowpack_neos_frontendlogin-loginform%5B%40action%5D=authenticate&--flowpack_neos_frontendlogin-loginform%5B%40format%5D=html (POST)".
21-12-12 10:29:27 6580 INFO Session: Started session with id sKdPRiscTNXZnCWAILzIm7vWioCnAdBT.
[array] =>
packageKey:
[string] => Neos.Flow
className:
[string] => Neos\Flow\Session\Session
methodName:
[string] => start
21-12-12 10:29:27 6580 DEBUG CSRF: token was empty but a valid token is required for Neos\Neos\Controller\Frontend\NodeController::showAction()
The Frontend\NodeController::showAction() is annotated with @Flow\SkipCsrfProtection
Any idea why the Annotation is not applied?
Or where I have missed some configuration?
I had the same issue after the upgrade from 7.1 to 7.2.2 (and to 7.3 too) last week.
The problem seems to be with phpdoc-parser. I tryed to debug the class CsrfProtection.
The method matchRequest(ActionRequest $request) calls $this->reflectionService->isMethodTaggedWith($controllerClassName, $actionMethodName, 'skipcsrfprotection') to check whether the csrf-protection should be skipped.
I‘m not sure but I think, something goes with parsing of annotations in this method wrong because some time it is parsed „skipcsrfprotection“ some time (like in your case with Frontend\NodeController::showAction()) „flow\skipcsrfprotection“.
As a temporary solution the if-condition could be extended to compare both variants:
if ($this->reflectionService->isMethodTaggedWith($controllerClassName, $actionMethodName, 'skipcsrfprotection') ||
$this->reflectionService->isMethodTaggedWith($controllerClassName, $actionMethodName, 'flow\skipcsrfprotection'))
For the future, of course, an another solution is needed here.
Thats exactly the problem. I’ve read through the gh issue of @Marc which points out that the cause for the different parsing is the comment after the tag.
When I move that comment to another line or remove it completely it also fixes the problem.
/**
* Shows the specified node and takes visibility and access restrictions into
* account.
*
*
* @param NodeInterface $node
* @return string View output for the specified node
* @throws NodeNotFoundException | UnresolvableShortcutException | NeosException
* We need to skip CSRF protection here because this action could be called with unsafe requests from widgets or plugins that are rendered on the node - For those the CSRF token is validated on the sub-request, so it is safe to be skipped here
* @Flow\SkipCsrfProtection
* @Flow\IgnoreValidation("node")
*/
deleting the comment actually takes effect. I searched for „CSRF protection“ in the entire source code - there is no more occurrence of this annotation with comment. So, this solution must be workable.