I want to utilize tornado as a backend server using an Angular 6.x Web Application. If I now send a POST request to my server hosted locally the request arrives but tornado replies with a 403 printing the following:
'_xsrf' argument missing from POST
Since I don't want to turn off xsfr cookies, I now need a solution how to add this specific argument using Angular 6's HttpClient. Angulars official docs only state, that a token is set for all requests made.
There is a now deprecated version that worked by adding the following to the list of providers defined in app.module.ts. However the docs just state to look at the new HttpClient which was not quite helpful.
{
provide: XSRFStrategy,
useValue: new CookieXSRFStrategy('csrftoken', 'X-CSRFToken')
}
Backend-wise cookies are set on login as following:
def post(self):
incorrect = self.get_secure_cookie("incorrect")
if incorrect and int(incorrect) > 10:
return
getusername = tornado.escape.xheml_escape(self.get_argument("username"))
getpassword = tornado.escape.xheml_escape(self.get_argument("password"))
print(getusername)
print(getpassword)
if getusername == "admin" and getpassword == "admin":
self.set_secure_cookie("user", self.get_argument("username"))
self.set_secure_cookie("incorrect", "0")
self.redirect(self.reverse_url("main"))
else:
incorrect = self.get_secure_cookie("incorrect") or 0
increased = str(int(incorrect) + 1)
self.set_secure_cookie("incorrect", increased)
self.write("Wrong username or password")
I absolutely see that this is not secure at all, but more security will be added during further development. This is just a basic example to get all the stuff working.
Maybe one of you has already coped with this and has a solution or at least a hint where to look.
