OAuth2 csrf_detected with Discord Connect

Hello! I’m in desperate need of some help with figuring out this error:

Steps to reproduce:
When a user clicks on their Discord “Connect” button in Preferences,
it correctly redirects the user to Discord’s authorization page.

However after clicking the Authorize button, the user is redirected and met with this message on our forum:
and the error at the top of this topic shows up in the admin logs.

I feel like I’ve read and tried everything to fix this, but it continues to happen. I’ve made sure the Discord Client ID and Secret site settings are correct.
I also made sure the URI was the correct syntax (based on a few related topics I’ve seen):

Any suggestions? I’m willing to try anything, even if you’re unsure it will work :laughing:

Any ideas? Still struggling with this :confused:

I think(?) I’ve narrowed it down to an nginx and/or caching issue? Is there supposed to be auth-specific or CSRF-specific stuff defined in discourse.conf that we could be missing?

@merefield, @david, @sam - sorry for the pings but I see your names in a lot of the older csrf related discussions in the past. Do you have any recommendations for this? With Discord auth being an integrated part of discourse, I’m stumped what could be causing this.

I appreciate any and all help in advance, thanks :smiling_face:

We must be breaking one of these?

I’m still unable to find a pattern. Sometimes it works and connects me correctly, but other times I’m met with the csrf page.

At the moment, I’m most suspect of the last condition check in verified_request?.
Are there any ways to easily check if (valid_request_origin? && any_authenticity_token_valid?) is returning true?

I apologize for the lack of any debug-able information, but I think I was (painfully) able to find (at least what I think) is the issue. I’m still not sure what the fix is, so please read on :kissing_heart:

The pictures below show a back-to-back instance where I was able to successfully link my account, refreshed/tried it again, and unsuccessfully hit the csrf detected page. I was in an incognito window and did/changed literally nothing between the successful connect and csrf failure. Here’s what I found:

So this first pic shows the _forum_session cookie matching in both 1 and 2 request headers, which resulted in a successful connect.

However after I reloaded the page and tried again (and failed to connect), you can see my search on the left side only shows 1 occurrence of the _forum_session cookie in a request header when it resulted in a failure.

tl;dr: I’m pretty sure the issue stems from the forum_session cookie in the discord?reconnect request header and then the following callback? request header not matching. What would cause them to be different?

Ok, I think we’re getting closer.

So in this pic below, you can see an update POST request happening directly after the discord?reconnect POST request.

And sure enough, it’s setting the _forum_session cookie which is causing it to mismatch like I described above.

If I check a successful connection instance (below), you can see the update only occurs before the discord?reconnect POST request.

This causes the _forum_session cookie to match and for it to successfully connect the account without the csrf issue.

How do I prevent that update from occurring after the user has begun the connection process?

@FerrariFlunker sorry for slow response, but haven’t had chance to look at this, it would be great if the core team could.

if its any consolation, I can repro, I believe, I’m getting the same error:

(discord) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected