[Bug]: CSRF check failed

[Boc-chi-no]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

I am getting frequent HTTP 412 errors, it says {"message": "CSRF check failed"}
I think everything I've configured is reasonable, since the upgrade to V26 it started to appear, recently upgraded to V27 the problem has become more frequent!
According to my experiments and observations I found that this problem may have something to do with the layout's head tag, I use the data-requesttoken returned to me by the page's head to make a request will generate a 412 error, But when I use "/csrftoken" to get the token, making the request works!
I have observed that this problem has been around for a long time and has not been resolved on the internet, so I hope to receive your further attention
I'd like to make a suggestion if it's possible to catch a 412 error on the front-end and then Call /csrftoke to refresh the CSRF Token and immediately re-request it?

https://github.com/nextcloud/server/blob/master/core/templates/layout.base.php#L3
https://github.com/nextcloud/server/blob/master/core/Controller/CSRFTokenController.php#L57

Steps to reproduce

1.Clocking a page
2.Accessing an interface without the @NoCSRFRequired annotation

Expected behavior

The request was successful

Installation method

Community Manual installation with Archive

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Nginx

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "trusted_domains": [
            "xxxxxxx:xxxxx",
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.1.0.7",
        "overwrite.cli.url": "https:\/\/xxxxxx:xxxx\/xxxxxx\/",
        "overwriteprotocol": "https",
        "allow_local_remote_servers": "true",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "twofactor_enforced": "true",
        "tempdirectory": "\/data\/nextcloud_tmp\/",
        "default_language": "ja",
        "default_locale": "jp-JA",
        "twofactor_enforced_groups": [
            "admin",
        ],
        "twofactor_enforced_excluded_groups": [],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtpsecure": "tls",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "updater.release.channel": "stable",
        "theme": "",
        "loglevel": 0,
        "default_phone_region": "JP",
        "app_install_overwrite": [
            "epubreader",
            "scanner"
        ],
    }
}

List of activated Apps

Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - bruteforcesettings: 2.7.0
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.4.2
  - contactsinteraction: 1.8.0
  - dashboard: 7.7.0
  - dav: 1.27.0
  - deck: 1.11.0
  - duplicatefinder: 1.0.5
  - external: 5.2.1
  - extract: 1.3.6
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_3dmodelviewer: 0.0.12
  - files_accesscontrol: 1.17.1
  - files_external: 1.19.0
  - files_fulltextsearch: 27.0.1
  - files_mindmap: 0.0.29
  - files_pdfviewer: 2.8.0
  - files_reminders: 1.0.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - fulltextsearch: 27.0.1
  - fulltextsearch_elasticsearch: 27.0.2
  - health: 1.6.2
  - impersonate: 1.14.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - metadata: 0.19.0
  - ncdownloader: 1.0.20
  - nextcloud_announcements: 1.16.0
  - notes: 4.8.1
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - previewgenerator: 5.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - quota_warning: 1.17.0
  - recognize: 4.3.2
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - richdocuments: 8.2.0
  - scanner: 0.2.3
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - side_menu: 3.10.3
  - support: 1.10.0
  - survey_client: 1.15.0
  - suspicious_login: 5.0.0
  - systemtags: 1.17.0
  - text: 3.8.0
  - theming: 2.2.0
  - theming_customcss: 1.14.0
  - twofactor_backupcodes: 1.16.0
  - twofactor_totp: 9.0.0
  - twofactor_webauthn: 1.2.0
  - updatenotification: 1.17.0
  - user_saml: 5.2.2
  - user_status: 1.7.0
  - video_converter: 1.0.6
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - encryption: 2.15.0
  - firstrunwizard: 2.16.0 (installed 2.10.0)
  - user_ldap: 1.17.0

Nextcloud Signing status

No response

Nextcloud Logs

{"reqId":"7pguVp7wVcp1j7oblyn6","level":0,"time":"2023-09-26T02:54:55+00:00","remoteAddr":"xxxx","user":"xxxx","app":"no app in context","method":"GET","url":"/nextcloud/apps/xxxxxxxxxxxx","message":"CSRF check failed","userAgent":"xxxxxxxxxxxx","version":"27.1.0.7","exception":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException","Message":"CSRF check failed","Code":412,"Trace":[{"file":"/xxxxx/wwwroot/nextcloud/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":96,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->"},{"file":"/xxxxx/wwwroot/nextcloud/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":129,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->"},{"file":"/xxxxx/wwwroot/nextcloud/nextcloud/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/xxxxx/wwwroot/nextcloud/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/xxxxx/wwwroot/nextcloud/nextcloud/lib/base.php","line":1068,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/xxxxx/wwwroot/nextcloud/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/xxxxx/wwwroot/nextcloud/nextcloud/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":224,"message":"CSRF check failed","exception":{},"CustomMessage":"CSRF check failed"}}

Additional info

Nextcloud 27.1.0

[ostasevych]

I have the same issue, the message appears each second in the nextcloud.log file just exhausting it:

[no app in context] Debug: OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException: CSRF check failed at <<closure>>

0. /var/www/html/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php line 96
   OC\AppFramework\Middleware\Security\SecurityMiddleware->beforeController()
1. /var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 129
   OC\AppFramework\Middleware\MiddlewareDispatcher->beforeController()
2. /var/www/html/nextcloud/lib/private/AppFramework/App.php line 183
   OC\AppFramework\Http\Dispatcher->dispatch()
3. /var/www/html/nextcloud/lib/private/Route/Router.php line 315
   OC\AppFramework\App::main()
4. /var/www/html/nextcloud/lib/base.php line 1068
   OC\Route\Router->match()
5. /var/www/html/nextcloud/index.php line 36
   OC::handleRequest()

GET /apps/files/api/v1/stats
from ***.***.***.*** by username at 2023-10-21T11:54:33+03:00

[markoftw]

Receiving the same on 27.1, unable to login or reset password.

  Debug    no app in context  OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException: CSRF check failed at                              2023-11-10T22:48:24+00:00
                              .../Middleware/Security/SecurityMiddleware.php line 224
                              0. .../Middleware/MiddlewareDispatcher.php line 96
                                 OC\AppFramework\Middleware\Security\SecurityMiddleware->beforeController(
                                   ["OC\\Core\\Controller\\WebAuthnController"],
                                   "startAuthentication"
                                 )
                              1. lib/private/AppFramework/Http/Dispatcher.php line 129
                                 OC\AppFramework\Middleware\MiddlewareDispatcher->beforeController(
                                   ["OC\\Core\\Controller\\WebAuthnController"],
                                   "startAuthentication"
                                 )
                              2. lib/private/AppFramework/App.php line 183
                                 OC\AppFramework\Http\Dispatcher->dispatch(["OC\\Core\\Controller\\WebAuthnController"], "startAuthentication")
                              3. lib/private/Route/Router.php line 315
                                 OC\AppFramework\App::main(
                                   "OC\\Core\\Controller\\WebAuthnController",
                                   "startAuthentication",
                                   ["OC\\AppFramework\\DependencyInjection\\DIContainer"],
                                   ["core.WebAuthn.startAuthentication"]
                                 )
                              4. lib/base.php line 1068
                                 OC\Route\Router->match("\/login\/webauthn\/start")
                              5. index.php line 36
                                 OC::handleRequest(

                                 )

[Korsani]

Same here.
I have "CSRF check failed" when I log out. And it does not log me out
Server 28.0.2.5
php 8.2
Mariadb 10.6.14

with occ log:watch

  Debug    no app in context  OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException: CSRF check failed at                               2024-02-22T13:31:58+00:00
                              .../Middleware/Security/SecurityMiddleware.php line 219

                              0. .../Middleware/MiddlewareDispatcher.php line 96
                                 OC\AppFramework\Middleware\Security\SecurityMiddleware->beforeController(

                                 )
                              1. lib/private/AppFramework/Http/Dispatcher.php line 129
                                 OC\AppFramework\Middleware\MiddlewareDispatcher->beforeController(

                                 )
                              2. lib/private/AppFramework/App.php line 184                                                                                                                                                    OC\AppFramework\Http\Dispatcher->dispatch(                                                                                                                  
                                 )
                              3. lib/private/Route/Router.php line 315
                                 OC\AppFramework\App::main(

                                 )
                              4. lib/base.php line 1069
                                 OC\Route\Router->match(

                                 )
                              5. index.php line 39
                                 OC::handleRequest(

                                 )

And in log :
{"reqId":"m7yIDjXDYl1bavgrqgD5","level":0,"time":"2024-02-22T13:42:15+00:00","remoteAddr":"80.125.52.13","user":"gab","app":"no app in context","method":"GET","url":"/logout?requesttoken=DeZBHtvacVl4jpRucZBplSIqPnZ%2Bp5Aj%2B%2BJ1pFdt3rE%3D%3ASp81dK%2BdJDgSzeddFtIawm5%2BdEMdzKhV1LMU9BkrjOM%3D","message":"CSRF check failed","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0","version":"28.0.2.5","exception":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException","Message":"CSRF check failed","Code":412,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":96,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":129,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":219,"message":"CSRF check failed","exception":{},"CustomMessage":"CSRF check failed"}}

[rcjcarr]

Same here, NC 28.0.3, issue comes and goes. Access via IOS app works, but not with browsers.

[Boc-chi-no]

My problem was resolved, and I was attempting to address another issue concerning slow access to Nextcloud. Upon checking the log, I discovered numerous occurrences of
"GuzzleHttp\Exception\ConnectException: cURL error 28: Connection timed out after 10001 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://xxx.xxx.xxx/ocm-provider/ "
I realized that this issue was associated with federated cloud. Therefore, I removed all federated cloud connections, which restored Nextcloud's performance to normal and inadvertently resolved the problem. Although I fail to comprehend the connection between these two issues.

[miqrogroove]

Same here. I have "CSRF check failed" when I log out. And it does not log me out Server 28.0.2.5

I just experienced this on Server 28.0.3.

I visited the front page where it showed me the menus and chat mentions. I clicked the Log out link. The result was a Nextcloud-style Forbidden screen with a CSRF error. When I returned to the front page again and clicked Log out again, the problem went away that time.

[fastSimulations]

The issue persists on NC 29, if I leave a login idle it will timeout and rather than logout it creates the csrf failure. However the login is not closed as I can change the url and re access the session; despite the fact that the session end should have occurred.

[michnovka]

Do you have http2 enabled? I have this issue frequently, random things stop working with "Invalid action" error (like clicking on details of a file). Sometimes loading /files/files URL which should show root folder is just empty saying No Files. Refresh fixes it.
When checking console, I see CSRF errors. refreshing page solves it.
This is happening since like NC27 or so. Around the same time http2 was enabled on our rev proxy

[michnovka]

This is still ongoing, for random actions. Like uploading file.

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>CSRF check not passed.</s:message>
</d:error>

Refreshing page fixes the issue.

[viceice]

I'll see this now happening on nextcloud v30 on one instance 😕
I don't see it on another instance nearly configured same (same reverse proxy)

[viceice]

OK, i could reduce via disabling text app. So all the failing apps/text/session/<num>/push and apps/text/session/<num>/sync requests are gone and the web ui is usable again

[viceice]

I still see a lot errors in my browsers and then empty file lists. they're gone after a few reloads.

url: /remote.php/dav/files/XXXXX/
status: 401

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
	<s:exception>Interner Serverfehler</s:exception>
	<s:message>
		Der Server konnte die Anfrage nicht fertig stellen.		Sollte dies erneut auftreten, senden Sie bitte die nachfolgenden technischen Einzelheiten  an Ihren Server-Administrator.		Weitere Details können im Server-Protokoll gefunden werden.			</s:message>

	<s:technical-details>
		<s:remote-address>2001:9e8:f734:5900:199c:8858:7619:aa71</s:remote-address>
		<s:request-id>m8HhXNUyUvsgjV3OGagL</s:request-id>

		</s:technical-details>
</d:error>

[viceice]

OK, i could solve it by moving the redis connections to my valkey master node only. It would be really nice if nextcloud can support redis+sentinel