Skip to content

Bad csrf token format #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AdamDorwart opened this issue Jan 16, 2025 · 4 comments
Open

Bad csrf token format #160

AdamDorwart opened this issue Jan 16, 2025 · 4 comments

Comments

@AdamDorwart
Copy link

AdamDorwart commented Jan 16, 2025
edited
Loading

Using Brave Browser when I look for the cookie in the request header, the "Cookie" field starts with cf_clearance=*****;csrftoken=***.... Using this gives Bad csrf token format.

I'm able to get it to work by stripping the cf_clearance=***; from the beginning so it starts with csrfotken=***; (see my reply below for the real solution)

Image
@LukasBauza
Copy link

Yeah, I have the same issue, I am also using Brave at the moment.

I installed Firefox and followed the guide within the README.md and copied it that way.

@LukasBauza
Copy link

Hey @AdamDorwart,

Another Brave user here. I had luck by just copying the entire Cookie from devtools. Notice the highlighted value. Copy that and slap that straight into the Cookie field in neovim.

Image

This worked for me, thanks.

@AdamDorwart
Copy link
Author

AdamDorwart commented Jan 28, 2025
edited
Loading

Yes, that's where I'm pulling it from. Specifically the Request Header Cookie.

Today I had to refresh the cookie. I tried the same technique that worked last time of stripping the cf_clearance field but this time it didn't work. I probably did something else that I didn't realize. Decided to look a little deeper.

The regex is pretty straightforward

    local csrf = str:match("csrftoken=([^;]+)")
    if not csrf or csrf == "" then
        return nil, "Bad csrf token format"
    end

    local ls = str:match("LEETCODE_SESSION=([^;]+)")
    if not ls or ls == "" then
        return nil, "Bad leetcode session token format"
    end

and I can confirm this correctly matches my cookie.

The real issue is pretty silly. In Brave dev tools, double clicking the 'Cookie' text to highlight it, and then copying it, adds a /CR /LF to the end of the cookie. When you paste this into the NuiInput dialog box and press enter it returns an empty string to the regex. You can tell this is happening when you paste the string and the input box makes this animation and is empty before hitting return.

Image

Solution: Ensure you're at https://leetcode.com and signed in (other pages don't always return both csrftoken and LEETCODE_SESSION). In Brave, highlight the contents of the Request Header Cookie with click and drag. Do not highlight with double click. You should see the tail end of the cookie in the input box before hitting return.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AdamDorwart @LukasBauza and others