However after clicking the Authorize button, the user is redirected and met with this message on our forum:
and the error at the top of this topic shows up in the admin logs.
I feel like I’ve read and tried everything to fix this, but it continues to happen. I’ve made sure the Discord Client ID and Secret site settings are correct.
I also made sure the URI was the correct syntax (based on a few related topics I’ve seen):
@merefield, @david, @sam - sorry for the pings but I see your names in a lot of the older csrf related discussions in the past. Do you have any recommendations for this? With Discord auth being an integrated part of discourse, I’m stumped what could be causing this.
I apologize for the lack of any debug-able information, but I think I was (painfully) able to find (at least what I think) is the issue. I’m still not sure what the fix is, so please read on
The pictures below show a back-to-back instance where I was able to successfully link my account, refreshed/tried it again, and unsuccessfully hit the csrf detected page. I was in an incognito window and did/changed literally nothing between the successful connect and csrf failure. Here’s what I found:
So this first pic shows the _forum_session cookie matching in both 1 and 2 request headers, which resulted in a successful connect.
However after I reloaded the page and tried again (and failed to connect), you can see my search on the left side only shows 1 occurrence of the _forum_session cookie in a request header when it resulted in a failure.
tl;dr: I’m pretty sure the issue stems from the forum_session cookie in the discord?reconnect request header and then the following callback? request header not matching. What would cause them to be different?
Nice digging! This kind of race condition could certainly cause the issues you’re seeing.
That said, we haven’t had any other reports of this problem, so it sounds like it must be something specific to your site/configuration. What plugins do you have installed on the site? Can you open up the “update” call and see what payload is being sent?
The reason it was fixed after removing the chat plugin is that Chat makes heavy use of this ‘PresenceChannel’ API, and so the issue is far more likely to happen. I don’t think any changes will be required in chat.