Xety CookieAuth and "Missing CSRF token cookie"

Question

I have finally upgraded my app to cakephp 3.2 since I have solved another problem that I had with 3.1+.

Long story short, I'm using Xety CookieAuth to let my users auto login when they come back to my website, and everything worked flawlessly with Cake 3.0.

With 3.2, I'm having a "page not found" error and I can see this in my log files:

2016-01-31 12:49:42 Error: [Cake\Network\Exception\InvalidCsrfTokenException] Missing CSRF token cookie

What am I doing wrong? I tried to see if something else needed an upgrade, checked the documentation, but everything seems correct...

Edit: I have noticed that if I remove this from my AppController, everything seems to be working. But then I lose the auto login functionality...

if (!$this->Auth->user() && $this->Cookie->read('CookieAuth')) {
    $this->request->data = $this->Cookie->read('CookieAuth');
    $user = $this->Auth->identify();
    $this->loadModel('Users');

    if ($user) {
        $this->Auth->setUser($user);

        /* Check which browser version is in use */
        $userData = $this->Users->find('all')->where(['id' => $user['id']])->first();
        $userData->browser = $this->Browser->getData();
        $this->Users->save($userData);

        /* Check if the user has the contract_accepted flag set to true */
        if ($userData->contract_accepted != true) {
            $this->request->session()->write("checkContract", true);
        }

    } else {
        $this->Cookie->delete('CookieAuth');
    }
}

EDIT

After a few tries and thanks to ndm pointing me to the right direction, I have found out that my original problem (that I have fixed through an ugly hack) is that CookieAuth is not correctly applying the data coming from my cookies. I have added a couple debugs in CookieAuthenticate.php, and this is what I have found out:

debug($this->_config['fields']);

/vendor/xety/cake3-cookieauth/src/Auth/CookieAuthenticate.php (line 46)
[
    'username' => 'username',
    'password' => 'password'
]

debug($cookies);

/vendor/xety/cake3-cookieauth/src/Auth/CookieAuthenticate.php (line 47)
[
    'email' => 'info@mydomain.com',
    'password' => 'mypassword'
]

So, how can I tell the plugin that I'm not using username, but email instead?

$this->loadComponent('Auth', [
    'authenticate' => [
        'Form' => [
            'fields' => ['username' => 'email']
        ],
        'Xety/Cake3CookieAuth.Cookie'
    ],
    'loginRedirect' => '/',
    'logoutRedirect' => '/',
]);

Answer 1

I have found what the problem was. When loading the Cake3CookieAuth component you need to tell which fields it should use for authentication. So this is wrong, and generates an error:

$this->loadComponent('Auth', [
    'authenticate' => [
        'Form' => [
            'fields' => ['username' => 'email']
        ],
        'Xety/Cake3CookieAuth.Cookie'
    ],
    ...
]);

And this is the corrected code:

$this->loadComponent('Auth', [
    'authenticate' => [
        'Form' => [
            'fields' => ['username' => 'email']
        ],
        'Xety/Cake3CookieAuth.Cookie' => [
            'fields' => ['username' => 'email']
        ]
    ],
    ...
]);

Answer 2

You are not using the code as suggested in the plugin docs, you're not supposed to read the cookie and write it to the request data, this will render the cookie authenticator useless, as it won't be triggered anymore since the form authenticator will find the request data and use it for authentication.

The error now happens because of this change:

https://github.com/cakephp/cakephp/pull/7938

It makes CSRF validation being applied not only when the request is POST, PUT, PATCH or DELETE, but whenever there is request data available (no matter where it came from).